From 53085f69fa866b52d429523d8fbd6c19efb127a6 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Thu, 17 Sep 2020 11:59:45 +0200 Subject: [PATCH 01/10] Add related.hosts to panos --- .../module/panw/panos/config/input.yml | 2 +- .../module/panw/panos/ingest/pipeline.yml | 5 + .../panw/panos/test/threat.log-expected.json | 228 +++++++++++++ .../panw/panos/test/traffic.log-expected.json | 300 ++++++++++++++++++ 4 files changed, 534 insertions(+), 1 deletion(-) diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml index ed3d089bb28..258dda2c70d 100644 --- a/x-pack/filebeat/module/panw/panos/config/input.yml +++ b/x-pack/filebeat/module/panw/panos/config/input.yml @@ -195,4 +195,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml index 412ddeb5c58..0aa10baa6eb 100644 --- a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml @@ -472,6 +472,11 @@ processors: value: "{{panw.panos.file.hash}}" if: "ctx?.panw?.panos?.file?.hash != null" + - append: + field: related.hosts + value: "{{observer.hostname}}" + if: "ctx?.observer?.hostname != null" + # Remove temporary fields. - remove: field: diff --git a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json index 20c28165a42..93fe08f75d9 100644 --- a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json @@ -73,6 +73,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -171,6 +174,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -269,6 +275,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -367,6 +376,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -465,6 +477,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -563,6 +578,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -661,6 +679,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -759,6 +780,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -857,6 +881,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -955,6 +982,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1053,6 +1083,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1151,6 +1184,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1249,6 +1285,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1347,6 +1386,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1445,6 +1487,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1543,6 +1588,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1641,6 +1689,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1739,6 +1790,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1837,6 +1891,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -1935,6 +1992,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2033,6 +2093,9 @@ "panw.panos.threat.resource": "b.scorecardresearch.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.137.131", @@ -2131,6 +2194,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2229,6 +2295,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2327,6 +2396,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2425,6 +2497,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2523,6 +2598,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2621,6 +2699,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2719,6 +2800,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2817,6 +2901,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -2915,6 +3002,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -3013,6 +3103,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -3111,6 +3204,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -3209,6 +3305,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -3307,6 +3406,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -3405,6 +3507,9 @@ "panw.panos.threat.resource": "consent.cmp.oath.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "152.195.55.192", @@ -3503,6 +3608,9 @@ "panw.panos.threat.resource": "cdn.taboola.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "151.101.2.2", @@ -3604,6 +3712,9 @@ "panw.panos.threat.resource": "rules.quantcount.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.192.7.152", @@ -3705,6 +3816,9 @@ "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -3806,6 +3920,9 @@ "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -3907,6 +4024,9 @@ "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4008,6 +4128,9 @@ "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4109,6 +4232,9 @@ "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4210,6 +4336,9 @@ "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4311,6 +4440,9 @@ "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4412,6 +4544,9 @@ "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4513,6 +4648,9 @@ "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4614,6 +4752,9 @@ "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4715,6 +4856,9 @@ "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4816,6 +4960,9 @@ "panw.panos.threat.resource": "srv-2018-11-30-22.config.parsely.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.4.120.175", @@ -4917,6 +5064,9 @@ "panw.panos.threat.resource": "www.googleadservices.com/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "216.58.194.98", @@ -5015,6 +5165,9 @@ "panw.panos.threat.resource": "service.maxymiser.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5113,6 +5266,9 @@ "panw.panos.threat.resource": "service.maxymiser.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5211,6 +5367,9 @@ "panw.panos.threat.resource": "service.maxymiser.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5309,6 +5468,9 @@ "panw.panos.threat.resource": "service.maxymiser.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5407,6 +5569,9 @@ "panw.panos.threat.resource": "service.maxymiser.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5505,6 +5670,9 @@ "panw.panos.threat.resource": "service.maxymiser.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5603,6 +5771,9 @@ "panw.panos.threat.resource": "service.maxymiser.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5701,6 +5872,9 @@ "panw.panos.threat.resource": "service.maxymiser.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5799,6 +5973,9 @@ "panw.panos.threat.resource": "service.maxymiser.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5897,6 +6074,9 @@ "panw.panos.threat.resource": "service.maxymiser.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.72.145.245", @@ -5998,6 +6178,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6099,6 +6282,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6200,6 +6386,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6301,6 +6490,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6402,6 +6594,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6503,6 +6698,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6604,6 +6802,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6705,6 +6906,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6806,6 +7010,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -6907,6 +7114,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -7008,6 +7218,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -7109,6 +7322,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -7210,6 +7426,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -7311,6 +7530,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -7412,6 +7634,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", @@ -7513,6 +7738,9 @@ "panw.panos.threat.resource": "segment-data.zqtk.net/", "panw.panos.type": "THREAT", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.209.101.70", diff --git a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json index 60e5c4a2b29..5f979092c4b 100644 --- a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json @@ -79,6 +79,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "184.51.253.152", @@ -185,6 +188,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -294,6 +300,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "17.253.3.202", @@ -400,6 +409,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -509,6 +521,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.196", "216.58.194.99", @@ -615,6 +630,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "web-advertisements", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "209.234.224.22", @@ -721,6 +739,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -827,6 +848,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "172.217.2.238", @@ -933,6 +957,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -1039,6 +1066,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -1145,6 +1175,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "17.249.60.78", @@ -1251,6 +1284,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -1357,6 +1393,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -1463,6 +1502,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -1569,6 +1611,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -1675,6 +1720,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -1781,6 +1829,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -1887,6 +1938,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "web-advertisements", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "98.138.49.44", @@ -1993,6 +2047,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "web-advertisements", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "72.30.3.43", @@ -2099,6 +2156,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.196", "8.8.8.8", @@ -2205,6 +2265,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "172.217.9.142", @@ -2311,6 +2374,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.207", "8.8.8.8", @@ -2420,6 +2486,9 @@ "panw.panos.sub_type": "start", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.84.80.198", @@ -2527,6 +2596,9 @@ "panw.panos.sub_type": "drop", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "199.167.55.52", @@ -2633,6 +2705,9 @@ "panw.panos.sub_type": "deny", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -2735,6 +2810,9 @@ "panw.panos.source.zone": "trust", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.210", "8.8.8.8", @@ -2838,6 +2916,9 @@ "panw.panos.sub_type": "test", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "172.217.9.142", @@ -2944,6 +3025,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "151.101.2.2", @@ -3053,6 +3137,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "216.58.194.66", @@ -3159,6 +3246,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -3265,6 +3355,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.210", "8.8.8.8", @@ -3371,6 +3464,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "web-advertisements", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "184.51.253.193", @@ -3477,6 +3573,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -3584,6 +3683,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "199.167.55.52", @@ -3693,6 +3795,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "199.167.52.219", @@ -3802,6 +3907,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.71.117.196", @@ -3908,6 +4016,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -4014,6 +4125,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -4123,6 +4237,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "insufficient-content", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "35.186.194.41", @@ -4228,6 +4345,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "insufficient-content", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "35.201.124.9", @@ -4337,6 +4457,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "100.24.131.237", @@ -4443,6 +4566,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "184.51.252.247", @@ -4552,6 +4678,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "35.190.88.148", @@ -4661,6 +4790,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "35.186.243.83", @@ -4767,6 +4899,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -4873,6 +5008,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -4982,6 +5120,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "100.24.165.74", @@ -5088,6 +5229,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "184.51.252.247", @@ -5193,6 +5337,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "35.201.94.140", @@ -5295,6 +5442,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -5401,6 +5551,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -5507,6 +5660,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -5613,6 +5769,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -5719,6 +5878,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -5825,6 +5987,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -5931,6 +6096,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6037,6 +6205,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.196", "8.8.8.8", @@ -6143,6 +6314,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6249,6 +6423,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6355,6 +6532,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6461,6 +6641,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6567,6 +6750,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6673,6 +6859,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6782,6 +6971,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "66.28.0.45", @@ -6888,6 +7080,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -6994,6 +7189,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -7100,6 +7298,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -7206,6 +7407,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -7312,6 +7516,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -7421,6 +7628,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "computer-and-internet-info", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "23.52.174.25", @@ -7527,6 +7737,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -7633,6 +7846,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -7742,6 +7958,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "54.230.5.228", @@ -7848,6 +8067,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -7954,6 +8176,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -8060,6 +8285,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -8166,6 +8394,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.195", "208.83.246.20", @@ -8271,6 +8502,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.196", "8.8.8.8", @@ -8376,6 +8610,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -8481,6 +8718,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -8588,6 +8828,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "35.185.88.112", @@ -8694,6 +8937,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -8800,6 +9046,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -8906,6 +9155,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -9015,6 +9267,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "50.19.85.24", @@ -9124,6 +9379,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "50.19.85.24", @@ -9233,6 +9491,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "50.19.85.24", @@ -9339,6 +9600,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "web-advertisements", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "104.254.150.9", @@ -9448,6 +9712,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "business-and-economy", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "50.19.85.24", @@ -9557,6 +9824,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.0.218.108", @@ -9666,6 +9936,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "52.6.117.19", @@ -9775,6 +10048,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "34.238.96.22", @@ -9884,6 +10160,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "130.211.47.17", @@ -9990,6 +10269,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -10096,6 +10378,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -10202,6 +10487,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -10308,6 +10596,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -10414,6 +10705,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -10520,6 +10814,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", @@ -10626,6 +10923,9 @@ "panw.panos.sub_type": "end", "panw.panos.type": "TRAFFIC", "panw.panos.url.category": "any", + "related.hosts": [ + "PA-220" + ], "related.ip": [ "192.168.15.224", "8.8.8.8", From 0b7bd6f5b314b1ae7676f828f10eca2e6fcf43f1 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Thu, 17 Sep 2020 14:15:35 +0200 Subject: [PATCH 02/10] Add related.hosts to osquery --- .../module/osquery/result/config/result.yml | 2 +- .../osquery/result/ingest/pipeline.json | 7 + .../test/osquery.rootkit.log-expected.json | 180 +++++++++++ .../osqueryd.results.darwin.log-expected.json | 300 ++++++++++++++++++ .../osqueryd.results.sample.log-expected.json | 300 ++++++++++++++++++ .../result/test/test.log-expected.json | 3 + 6 files changed, 791 insertions(+), 1 deletion(-) diff --git a/filebeat/module/osquery/result/config/result.yml b/filebeat/module/osquery/result/config/result.yml index f35881687e8..1d6d2e0d042 100644 --- a/filebeat/module/osquery/result/config/result.yml +++ b/filebeat/module/osquery/result/config/result.yml @@ -10,4 +10,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/osquery/result/ingest/pipeline.json b/filebeat/module/osquery/result/ingest/pipeline.json index c14b9664d1e..c35107a74ca 100644 --- a/filebeat/module/osquery/result/ingest/pipeline.json +++ b/filebeat/module/osquery/result/ingest/pipeline.json @@ -206,6 +206,13 @@ "value": "{{osquery.result.name}}", "ignore_empty_value": true } + }, + { + "append": { + "field": "related.hosts", + "value": "{{host.hostname}}", + "if": "ctx?.host?.hostname != null" + } } ], "on_failure" : [{ diff --git a/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json b/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json index bedd286615d..953a63b299c 100644 --- a/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json +++ b/filebeat/module/osquery/result/test/osquery.rootkit.log-expected.json @@ -29,6 +29,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -66,6 +69,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -103,6 +109,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -140,6 +149,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -177,6 +189,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -214,6 +229,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -251,6 +269,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -288,6 +309,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -325,6 +349,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -362,6 +389,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -399,6 +429,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -436,6 +469,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -473,6 +509,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -510,6 +549,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -547,6 +589,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -584,6 +629,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -621,6 +669,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -658,6 +709,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -695,6 +749,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -732,6 +789,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -769,6 +829,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -806,6 +869,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -843,6 +909,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -880,6 +949,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -917,6 +989,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -954,6 +1029,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -991,6 +1069,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1028,6 +1109,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1065,6 +1149,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1102,6 +1189,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1139,6 +1229,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1176,6 +1269,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1213,6 +1309,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1250,6 +1349,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1287,6 +1389,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1324,6 +1429,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1361,6 +1469,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1398,6 +1509,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1435,6 +1549,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1472,6 +1589,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1509,6 +1629,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1546,6 +1669,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1583,6 +1709,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1620,6 +1749,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1657,6 +1789,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1694,6 +1829,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1731,6 +1869,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1768,6 +1909,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1805,6 +1949,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1842,6 +1989,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1879,6 +2029,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1916,6 +2069,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1953,6 +2109,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1990,6 +2149,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2027,6 +2189,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2064,6 +2229,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2101,6 +2269,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2138,6 +2309,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_osquery-monitoring_schedule", "osquery.result.unix_time": "1515423115", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2195,6 +2369,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_ossec-rootkit_slapper_installed", "osquery.result.unix_time": "1515431189", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2252,6 +2429,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_ossec-rootkit_adore_worm", "osquery.result.unix_time": "1515431988", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], diff --git a/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json b/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json index bc722ee249f..5a8083a37e2 100644 --- a/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json +++ b/filebeat/module/osquery/result/test/osqueryd.results.darwin.log-expected.json @@ -22,6 +22,9 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "org.python.python.app", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -52,6 +55,9 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.ruby", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -82,6 +88,9 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.a2p", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -112,6 +121,9 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.javajdk16.cmd", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -142,6 +154,9 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.php", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -172,6 +187,9 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.nc", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -202,6 +220,9 @@ "osquery.result.name": "pack_it-compliance_alf_explicit_auths", "osquery.result.unix_time": "1514471990", "process.name": "com.apple.ksh", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -234,6 +255,9 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "httpd", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -266,6 +290,9 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "cupsd", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -298,6 +325,9 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "AEServer", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -330,6 +360,9 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "ftpd", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -362,6 +395,9 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "AppleFileServer", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -394,6 +430,9 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "sshd-keygen-wrapper", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -426,6 +465,9 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "smbd", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -458,6 +500,9 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "AppleVNCServer", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -490,6 +535,9 @@ "osquery.result.name": "pack_it-compliance_alf_services", "osquery.result.unix_time": "1514471990", "process.name": "ODSAgent", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -544,6 +592,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -599,6 +650,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -653,6 +707,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -707,6 +764,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -761,6 +821,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -815,6 +878,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -869,6 +935,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -923,6 +992,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -977,6 +1049,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1031,6 +1106,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1085,6 +1163,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1139,6 +1220,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1193,6 +1277,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_firefox_addons", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1226,6 +1313,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1258,6 +1348,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1290,6 +1383,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1322,6 +1418,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1354,6 +1453,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1386,6 +1488,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1418,6 +1523,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1450,6 +1558,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1482,6 +1593,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1514,6 +1628,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1546,6 +1663,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1578,6 +1698,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1610,6 +1733,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1642,6 +1768,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1674,6 +1803,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1706,6 +1838,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1738,6 +1873,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1770,6 +1908,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1802,6 +1943,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1834,6 +1978,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1866,6 +2013,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1898,6 +2048,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1930,6 +2083,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1962,6 +2118,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -1994,6 +2153,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2026,6 +2188,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2058,6 +2223,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2090,6 +2258,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2122,6 +2293,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2154,6 +2328,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2186,6 +2363,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2218,6 +2398,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2250,6 +2433,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2282,6 +2468,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2314,6 +2503,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2346,6 +2538,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2378,6 +2573,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2410,6 +2608,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2442,6 +2643,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2474,6 +2678,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2506,6 +2713,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2538,6 +2748,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2570,6 +2783,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2602,6 +2818,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2634,6 +2853,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2666,6 +2888,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2698,6 +2923,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2730,6 +2958,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2762,6 +2993,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2794,6 +3028,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2826,6 +3063,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2858,6 +3098,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2890,6 +3133,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2922,6 +3168,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2954,6 +3203,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -2986,6 +3238,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3018,6 +3273,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3050,6 +3308,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3082,6 +3343,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3114,6 +3378,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3146,6 +3413,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3178,6 +3448,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3210,6 +3483,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3242,6 +3518,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3274,6 +3553,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3306,6 +3588,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3338,6 +3623,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3370,6 +3658,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3402,6 +3693,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3434,6 +3728,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], @@ -3466,6 +3763,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_homebrew_packages", "osquery.result.unix_time": "1514471991", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], diff --git a/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json b/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json index c339f8183fd..0f9afe755c1 100644 --- a/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json +++ b/filebeat/module/osquery/result/test/osqueryd.results.sample.log-expected.json @@ -26,6 +26,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "system_info", "osquery.result.unix_time": "1512649280", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -60,6 +63,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -94,6 +100,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -128,6 +137,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -162,6 +174,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -196,6 +211,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -230,6 +248,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -264,6 +285,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -298,6 +322,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -332,6 +359,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -366,6 +396,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -400,6 +433,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -434,6 +470,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -468,6 +507,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -502,6 +544,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -536,6 +581,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -570,6 +618,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -604,6 +655,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -638,6 +692,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -672,6 +729,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -706,6 +766,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -740,6 +803,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -774,6 +840,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -808,6 +877,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -842,6 +914,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -876,6 +951,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -910,6 +988,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -944,6 +1025,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -978,6 +1062,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1012,6 +1099,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1046,6 +1136,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1080,6 +1173,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1114,6 +1210,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1148,6 +1247,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1182,6 +1284,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1216,6 +1321,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1250,6 +1358,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1284,6 +1395,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1318,6 +1432,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1352,6 +1469,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1386,6 +1506,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1420,6 +1543,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1454,6 +1580,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1488,6 +1617,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1522,6 +1654,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1556,6 +1691,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1590,6 +1728,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1624,6 +1765,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1658,6 +1802,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1692,6 +1839,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1726,6 +1876,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1760,6 +1913,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1794,6 +1950,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1828,6 +1987,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1862,6 +2024,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1896,6 +2061,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1930,6 +2098,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_kernel_modules", "osquery.result.unix_time": "1512669435", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1964,6 +2135,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -1998,6 +2172,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2032,6 +2209,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2066,6 +2246,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2100,6 +2283,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2134,6 +2320,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2168,6 +2357,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2202,6 +2394,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2236,6 +2431,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2270,6 +2468,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2304,6 +2505,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2341,6 +2545,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_os_version", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2394,6 +2601,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_osquery_info", "osquery.result.unix_time": "1512669438", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2428,6 +2638,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2462,6 +2675,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2496,6 +2712,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2530,6 +2749,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2564,6 +2786,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2598,6 +2823,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2632,6 +2860,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2666,6 +2897,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2700,6 +2934,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2734,6 +2971,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2768,6 +3008,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_disk_encryption", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2805,6 +3048,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_os_version", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2858,6 +3104,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_osquery_info", "osquery.result.unix_time": "1512669439", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2899,6 +3148,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2940,6 +3192,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -2981,6 +3236,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3022,6 +3280,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3063,6 +3324,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3104,6 +3368,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3145,6 +3412,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3186,6 +3456,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3227,6 +3500,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3268,6 +3544,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3309,6 +3588,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3350,6 +3632,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3391,6 +3676,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3432,6 +3720,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3473,6 +3764,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3514,6 +3808,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], @@ -3555,6 +3852,9 @@ "osquery.result.host_identifier": "ubuntu-xenial", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1512669441", + "related.hosts": [ + "ubuntu-xenial" + ], "related.user": [ "ubuntu" ], diff --git a/filebeat/module/osquery/result/test/test.log-expected.json b/filebeat/module/osquery/result/test/test.log-expected.json index 37a56ff8f13..4f7d0589a04 100644 --- a/filebeat/module/osquery/result/test/test.log-expected.json +++ b/filebeat/module/osquery/result/test/test.log-expected.json @@ -33,6 +33,9 @@ "osquery.result.host_identifier": "192-168-0-4.rdsnet.ro", "osquery.result.name": "pack_it-compliance_mounts", "osquery.result.unix_time": "1514472008", + "related.hosts": [ + "192-168-0-4.rdsnet.ro" + ], "related.user": [ "tsg" ], From 218ae15a69014d2ebb23d8b13a9beb2c4bfc8bfd Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Thu, 17 Sep 2020 14:15:44 +0200 Subject: [PATCH 03/10] Add related.hosts to system --- filebeat/module/system/auth/config/auth.yml | 2 +- .../module/system/auth/ingest/pipeline.yml | 4 + .../test/auth-ubuntu1204.log-expected.json | 297 +++++++++++++++++ .../auth/test/secure-rhel7.log-expected.json | 300 ++++++++++++++++++ .../system/auth/test/test.log-expected.json | 30 ++ .../auth/test/timestamp.log-expected.json | 6 + .../module/system/syslog/config/syslog.yml | 2 +- .../module/system/syslog/ingest/pipeline.yml | 4 + .../darwin-syslog-sample.log-expected.json | 6 + .../test/darwin-syslog.log-expected.json | 300 ++++++++++++++++++ .../syslog/test/suse-syslog.log-expected.json | 6 + .../syslog/test/tz-offset.log-expected.json | 9 + 12 files changed, 964 insertions(+), 2 deletions(-) diff --git a/filebeat/module/system/auth/config/auth.yml b/filebeat/module/system/auth/config/auth.yml index 3cdbd459e68..13f8c95656d 100644 --- a/filebeat/module/system/auth/config/auth.yml +++ b/filebeat/module/system/auth/config/auth.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/system/auth/ingest/pipeline.yml b/filebeat/module/system/auth/ingest/pipeline.yml index a958855936a..94b75ca1280 100644 --- a/filebeat/module/system/auth/ingest/pipeline.yml +++ b/filebeat/module/system/auth/ingest/pipeline.yml @@ -142,6 +142,10 @@ processors: field: related.ip value: "{{source.ip}}" if: "ctx?.source?.ip != null" +- append: + field: related.hosts + value: "{{host.hostname}}" + if: "ctx.host?.hostname != null" on_failure: - set: field: error.message diff --git a/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json b/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json index 74654cb6dc1..cff887d76e8 100644 --- a/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json +++ b/filebeat/module/system/auth/test/auth-ubuntu1204.log-expected.json @@ -11,6 +11,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -23,6 +26,9 @@ "input.type": "log", "log.offset": 81, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -44,6 +50,9 @@ "log.offset": 464, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -57,6 +66,9 @@ "log.offset": 570, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -71,6 +83,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -83,6 +98,9 @@ "input.type": "log", "log.offset": 736, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -104,6 +122,9 @@ "log.offset": 1121, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -117,6 +138,9 @@ "log.offset": 1227, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -131,6 +155,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -143,6 +170,9 @@ "input.type": "log", "log.offset": 1393, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -164,6 +194,9 @@ "log.offset": 1776, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -177,6 +210,9 @@ "log.offset": 1882, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -191,6 +227,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -203,6 +242,9 @@ "input.type": "log", "log.offset": 2048, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -224,6 +266,9 @@ "log.offset": 2426, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -237,6 +282,9 @@ "log.offset": 2532, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -251,6 +299,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -263,6 +314,9 @@ "input.type": "log", "log.offset": 2698, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -284,6 +338,9 @@ "log.offset": 3083, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -297,6 +354,9 @@ "log.offset": 3189, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -311,6 +371,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -336,6 +399,9 @@ "input.type": "log", "log.offset": 3414, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -357,6 +423,9 @@ "log.offset": 3977, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -370,6 +439,9 @@ "log.offset": 4083, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -384,6 +456,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -396,6 +471,9 @@ "input.type": "log", "log.offset": 4249, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -417,6 +495,9 @@ "log.offset": 4632, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -430,6 +511,9 @@ "log.offset": 4738, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -444,6 +528,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -456,6 +543,9 @@ "input.type": "log", "log.offset": 4904, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -477,6 +567,9 @@ "log.offset": 5289, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -490,6 +583,9 @@ "log.offset": 5395, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -504,6 +600,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -516,6 +615,9 @@ "input.type": "log", "log.offset": 5561, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -537,6 +639,9 @@ "log.offset": 5942, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -550,6 +655,9 @@ "log.offset": 6048, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -564,6 +672,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -576,6 +687,9 @@ "input.type": "log", "log.offset": 6214, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -597,6 +711,9 @@ "log.offset": 6597, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -610,6 +727,9 @@ "log.offset": 6703, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -624,6 +744,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -636,6 +759,9 @@ "input.type": "log", "log.offset": 6869, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -657,6 +783,9 @@ "log.offset": 7254, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -670,6 +799,9 @@ "log.offset": 7360, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -684,6 +816,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -696,6 +831,9 @@ "input.type": "log", "log.offset": 7526, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -717,6 +855,9 @@ "log.offset": 7911, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -730,6 +871,9 @@ "log.offset": 8017, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -744,6 +888,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -756,6 +903,9 @@ "input.type": "log", "log.offset": 8183, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -777,6 +927,9 @@ "log.offset": 8564, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -790,6 +943,9 @@ "log.offset": 8670, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -804,6 +960,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -816,6 +975,9 @@ "input.type": "log", "log.offset": 8836, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -837,6 +999,9 @@ "log.offset": 9215, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -850,6 +1015,9 @@ "log.offset": 9321, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -864,6 +1032,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -876,6 +1047,9 @@ "input.type": "log", "log.offset": 9487, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -897,6 +1071,9 @@ "log.offset": 9869, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -910,6 +1087,9 @@ "log.offset": 9975, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -922,6 +1102,9 @@ "input.type": "log", "log.offset": 10060, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -943,6 +1126,9 @@ "log.offset": 11099, "message": " vagrant : (command continued) '/etc/metricbeat/metricbeat.yml)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -956,6 +1142,9 @@ "log.offset": 11195, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -969,6 +1158,9 @@ "log.offset": 11301, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -983,6 +1175,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -997,6 +1192,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1009,6 +1207,9 @@ "input.type": "log", "log.offset": 11548, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -1030,6 +1231,9 @@ "log.offset": 11928, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1043,6 +1247,9 @@ "log.offset": 12034, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1057,6 +1264,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1069,6 +1279,9 @@ "input.type": "log", "log.offset": 12200, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -1090,6 +1303,9 @@ "log.offset": 12583, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1103,6 +1319,9 @@ "log.offset": 12689, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1117,6 +1336,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1129,6 +1351,9 @@ "input.type": "log", "log.offset": 12855, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -1150,6 +1375,9 @@ "log.offset": 13241, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1163,6 +1391,9 @@ "log.offset": 13347, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1177,6 +1408,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1189,6 +1423,9 @@ "input.type": "log", "log.offset": 13513, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -1210,6 +1447,9 @@ "log.offset": 13898, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1223,6 +1463,9 @@ "log.offset": 14004, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1237,6 +1480,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1249,6 +1495,9 @@ "input.type": "log", "log.offset": 14170, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -1270,6 +1519,9 @@ "log.offset": 14549, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1283,6 +1535,9 @@ "log.offset": 14655, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1297,6 +1552,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1309,6 +1567,9 @@ "input.type": "log", "log.offset": 14821, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -1330,6 +1591,9 @@ "log.offset": 15203, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1343,6 +1607,9 @@ "log.offset": 15309, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1357,6 +1624,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1369,6 +1639,9 @@ "input.type": "log", "log.offset": 15475, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -1390,6 +1663,9 @@ "log.offset": 15860, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1403,6 +1679,9 @@ "log.offset": 15966, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1417,6 +1696,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1429,6 +1711,9 @@ "input.type": "log", "log.offset": 16132, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], @@ -1450,6 +1735,9 @@ "log.offset": 16517, "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1463,6 +1751,9 @@ "log.offset": 16623, "message": "pam_unix(sudo:session): session closed for user root", "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1477,6 +1768,9 @@ "message": "subsystem request for sftp by user vagrant", "process.name": "sshd", "process.pid": 8317, + "related.hosts": [ + "precise32" + ], "service.type": "system" }, { @@ -1489,6 +1783,9 @@ "input.type": "log", "log.offset": 16789, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "vagrant" ], diff --git a/filebeat/module/system/auth/test/secure-rhel7.log-expected.json b/filebeat/module/system/auth/test/secure-rhel7.log-expected.json index 5242ff398d9..7d8ece1d7f2 100644 --- a/filebeat/module/system/auth/test/secure-rhel7.log-expected.json +++ b/filebeat/module/system/auth/test/secure-rhel7.log-expected.json @@ -19,6 +19,9 @@ "log.offset": 0, "process.name": "sshd", "process.pid": 2738, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -52,6 +55,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2738, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -74,6 +80,9 @@ "log.offset": 209, "process.name": "sshd", "process.pid": 2738, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -107,6 +116,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2738, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -129,6 +141,9 @@ "log.offset": 418, "process.name": "sshd", "process.pid": 2738, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -162,6 +177,9 @@ "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", "process.name": "sshd", "process.pid": 2738, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -176,6 +194,9 @@ "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2738, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -190,6 +211,9 @@ "message": "PAM service(sshd) ignoring max retries; 5 > 3", "process.name": "sshd", "process.pid": 2738, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -204,6 +228,9 @@ "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -218,6 +245,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -240,6 +270,9 @@ "log.offset": 1105, "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -273,6 +306,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -295,6 +331,9 @@ "log.offset": 1314, "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -328,6 +367,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -350,6 +392,9 @@ "log.offset": 1523, "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -383,6 +428,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -405,6 +453,9 @@ "log.offset": 1732, "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -438,6 +489,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -460,6 +514,9 @@ "log.offset": 1941, "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -493,6 +550,9 @@ "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -507,6 +567,9 @@ "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -521,6 +584,9 @@ "message": "PAM service(sshd) ignoring max retries; 5 > 3", "process.name": "sshd", "process.pid": 2742, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -535,6 +601,9 @@ "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -549,6 +618,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -563,6 +635,9 @@ "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27 user=root", "process.name": "sshd", "process.pid": 2758, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -577,6 +652,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2758, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -599,6 +677,9 @@ "log.offset": 2889, "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -632,6 +713,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -654,6 +738,9 @@ "log.offset": 3098, "process.name": "sshd", "process.pid": 2758, + "related.hosts": [ + "slave22" + ], "related.ip": [ "116.31.116.27" ], @@ -687,6 +774,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2758, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -709,6 +799,9 @@ "log.offset": 3306, "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -742,6 +835,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -764,6 +860,9 @@ "log.offset": 3515, "process.name": "sshd", "process.pid": 2758, + "related.hosts": [ + "slave22" + ], "related.ip": [ "116.31.116.27" ], @@ -797,6 +896,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2758, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -819,6 +921,9 @@ "log.offset": 3723, "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -852,6 +957,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -874,6 +982,9 @@ "log.offset": 3932, "process.name": "sshd", "process.pid": 2758, + "related.hosts": [ + "slave22" + ], "related.ip": [ "116.31.116.27" ], @@ -907,6 +1018,9 @@ "message": "Received disconnect from 116.31.116.27: 11: [preauth]", "process.name": "sshd", "process.pid": 2758, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -921,6 +1035,9 @@ "message": "PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27 user=root", "process.name": "sshd", "process.pid": 2758, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -943,6 +1060,9 @@ "log.offset": 4259, "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -976,6 +1096,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -998,6 +1121,9 @@ "log.offset": 4468, "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1031,6 +1157,9 @@ "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1045,6 +1174,9 @@ "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1059,6 +1191,9 @@ "message": "PAM service(sshd) ignoring max retries; 5 > 3", "process.name": "sshd", "process.pid": 2754, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1073,6 +1208,9 @@ "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1087,6 +1225,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1109,6 +1250,9 @@ "log.offset": 5155, "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1142,6 +1286,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1164,6 +1311,9 @@ "log.offset": 5364, "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1197,6 +1347,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1219,6 +1372,9 @@ "log.offset": 5573, "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1252,6 +1408,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1274,6 +1433,9 @@ "log.offset": 5782, "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1307,6 +1469,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1329,6 +1494,9 @@ "log.offset": 5991, "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1362,6 +1530,9 @@ "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1376,6 +1547,9 @@ "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1390,6 +1564,9 @@ "message": "PAM service(sshd) ignoring max retries; 5 > 3", "process.name": "sshd", "process.pid": 2762, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1404,6 +1581,9 @@ "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1418,6 +1598,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1440,6 +1623,9 @@ "log.offset": 6678, "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1473,6 +1659,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1495,6 +1684,9 @@ "log.offset": 6887, "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1528,6 +1720,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1550,6 +1745,9 @@ "log.offset": 7096, "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1583,6 +1781,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1605,6 +1806,9 @@ "log.offset": 7305, "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1638,6 +1842,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1660,6 +1867,9 @@ "log.offset": 7514, "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -1693,6 +1903,9 @@ "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1707,6 +1920,9 @@ "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1721,6 +1937,9 @@ "message": "PAM service(sshd) ignoring max retries; 5 > 3", "process.name": "sshd", "process.pid": 2766, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1735,6 +1954,9 @@ "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27 user=root", "process.name": "sshd", "process.pid": 2778, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1749,6 +1971,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2778, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1771,6 +1996,9 @@ "log.offset": 8199, "process.name": "sshd", "process.pid": 2778, + "related.hosts": [ + "slave22" + ], "related.ip": [ "116.31.116.27" ], @@ -1804,6 +2032,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2778, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1826,6 +2057,9 @@ "log.offset": 8407, "process.name": "sshd", "process.pid": 2778, + "related.hosts": [ + "slave22" + ], "related.ip": [ "116.31.116.27" ], @@ -1859,6 +2093,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2778, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1881,6 +2118,9 @@ "log.offset": 8615, "process.name": "sshd", "process.pid": 2778, + "related.hosts": [ + "slave22" + ], "related.ip": [ "116.31.116.27" ], @@ -1914,6 +2154,9 @@ "message": "Received disconnect from 116.31.116.27: 11: [preauth]", "process.name": "sshd", "process.pid": 2778, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1928,6 +2171,9 @@ "message": "PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.27 user=root", "process.name": "sshd", "process.pid": 2778, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1942,6 +2188,9 @@ "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1956,6 +2205,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -1978,6 +2230,9 @@ "log.offset": 9205, "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -2011,6 +2266,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -2033,6 +2291,9 @@ "log.offset": 9414, "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -2066,6 +2327,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -2088,6 +2352,9 @@ "log.offset": 9623, "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -2121,6 +2388,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -2143,6 +2413,9 @@ "log.offset": 9832, "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -2176,6 +2449,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -2198,6 +2474,9 @@ "log.offset": 10041, "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -2231,6 +2510,9 @@ "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -2245,6 +2527,9 @@ "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -2259,6 +2544,9 @@ "message": "PAM service(sshd) ignoring max retries; 5 > 3", "process.name": "sshd", "process.pid": 2785, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -2273,6 +2561,9 @@ "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=202.109.143.106 user=root", "process.name": "sshd", "process.pid": 2797, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -2287,6 +2578,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2797, + "related.hosts": [ + "slave22" + ], "service.type": "system" }, { @@ -2309,6 +2603,9 @@ "log.offset": 10728, "process.name": "sshd", "process.pid": 2797, + "related.hosts": [ + "slave22" + ], "related.ip": [ "202.109.143.106" ], @@ -2342,6 +2639,9 @@ "message": "pam_succeed_if(sshd:auth): requirement \"uid >= 1000\" not met by user \"root\"", "process.name": "sshd", "process.pid": 2797, + "related.hosts": [ + "slave22" + ], "service.type": "system" } ] \ No newline at end of file diff --git a/filebeat/module/system/auth/test/test.log-expected.json b/filebeat/module/system/auth/test/test.log-expected.json index 0203b1a1f3b..88d32188bb7 100644 --- a/filebeat/module/system/auth/test/test.log-expected.json +++ b/filebeat/module/system/auth/test/test.log-expected.json @@ -19,6 +19,9 @@ "log.offset": 0, "process.name": "sshd", "process.pid": 3402, + "related.hosts": [ + "localhost" + ], "related.ip": [ "10.0.2.2" ], @@ -53,6 +56,9 @@ "log.offset": 152, "process.name": "sshd", "process.pid": 7483, + "related.hosts": [ + "localhost" + ], "related.ip": [ "192.168.33.1" ], @@ -86,6 +92,9 @@ "log.offset": 254, "process.name": "sshd", "process.pid": 3430, + "related.hosts": [ + "localhost" + ], "related.ip": [ "10.0.2.2" ], @@ -117,6 +126,9 @@ "log.offset": 324, "process.name": "sshd", "process.pid": 5774, + "related.hosts": [ + "slave22" + ], "related.ip": [ "116.31.116.24" ], @@ -148,6 +160,9 @@ "input.type": "log", "log.offset": 420, "process.name": "sudo", + "related.hosts": [ + "localhost" + ], "related.user": [ "vagrant" ], @@ -169,6 +184,9 @@ "log.offset": 522, "process.name": "sshd", "process.pid": 18406, + "related.hosts": [ + "slave22" + ], "related.ip": [ "123.57.245.163" ], @@ -195,6 +213,9 @@ "input.type": "log", "log.offset": 617, "process.name": "sudo", + "related.hosts": [ + "localhost" + ], "related.user": [ "vagrant" ], @@ -215,6 +236,9 @@ "input.type": "log", "log.offset": 736, "process.name": "sudo", + "related.hosts": [ + "precise32" + ], "related.user": [ "tsg" ], @@ -247,6 +271,9 @@ "log.offset": 861, "process.name": "groupadd", "process.pid": 6991, + "related.hosts": [ + "localhost" + ], "service.type": "system" }, { @@ -269,6 +296,9 @@ "log.offset": 934, "process.name": "useradd", "process.pid": 6995, + "related.hosts": [ + "localhost" + ], "related.user": [ "apache" ], diff --git a/filebeat/module/system/auth/test/timestamp.log-expected.json b/filebeat/module/system/auth/test/timestamp.log-expected.json index 8903b63e89e..4d428b4d1cc 100644 --- a/filebeat/module/system/auth/test/timestamp.log-expected.json +++ b/filebeat/module/system/auth/test/timestamp.log-expected.json @@ -12,6 +12,9 @@ "log.offset": 0, "message": "pam_unix(sudo-i:session): session opened for user root by userauth3(uid=0)", "process.name": "sudo", + "related.hosts": [ + "localhost" + ], "service.type": "system" }, { @@ -27,6 +30,9 @@ "log.offset": 118, "message": "user nobody logged out.", "process.name": "pam", + "related.hosts": [ + "localhost" + ], "service.type": "system" } ] \ No newline at end of file diff --git a/filebeat/module/system/syslog/config/syslog.yml b/filebeat/module/system/syslog/config/syslog.yml index 3cdbd459e68..13f8c95656d 100644 --- a/filebeat/module/system/syslog/config/syslog.yml +++ b/filebeat/module/system/syslog/config/syslog.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/system/syslog/ingest/pipeline.yml b/filebeat/module/system/syslog/ingest/pipeline.yml index e45cacec6b6..c0ed71b3471 100644 --- a/filebeat/module/system/syslog/ingest/pipeline.yml +++ b/filebeat/module/system/syslog/ingest/pipeline.yml @@ -54,6 +54,10 @@ processors: - set: field: event.kind value: event +- append: + field: related.hosts + value: "{{host.hostname}}" + if: "ctx.host?.hostname != null" on_failure: - set: field: error.message diff --git a/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json b/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json index 7fd9929cf9e..a5957f19b94 100644 --- a/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json +++ b/filebeat/module/system/syslog/test/darwin-syslog-sample.log-expected.json @@ -14,6 +14,9 @@ "message": "2016-12-13 11:35:28.420 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Checking for updates for \"All Products\" using engine \n\t\t>>\n\t\tprocessor=\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t>\n\t\tdelegate=(null)\n\t\tserverInfoStore=(null)\n\t\terrors=0\n\t>", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -28,6 +31,9 @@ "message": "2016-12-13 11:35:28.421 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine updateAllExceptProduct:] KSUpdateEngine updating all installed products, except:'com.google.Keystone'.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { diff --git a/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json b/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json index f1abb5047d5..6f12a7a5656 100644 --- a/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json +++ b/filebeat/module/system/syslog/test/darwin-syslog.log-expected.json @@ -11,6 +11,9 @@ "message": "2016-12-13 11:35:28.419 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp performSelfUpdateWithEngine:] Finished self update check.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -28,6 +31,9 @@ "message": "2016-12-13 11:35:28.420 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Checking for updates for \"All Products\" using engine \n\t\t>>\n\t\tprocessor=\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t>\n\t\tdelegate=(null)\n\t\tserverInfoStore=(null)\n\t\terrors=0\n\t>", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -42,6 +48,9 @@ "message": "2016-12-13 11:35:28.421 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine updateAllExceptProduct:] KSUpdateEngine updating all installed products, except:'com.google.Keystone'.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -56,6 +65,9 @@ "message": "2016-12-13 11:35:28.422 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSCheckAction performAction] KSCheckAction checking 2 ticket(s).", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -73,6 +85,9 @@ "message": "2016-12-13 11:35:28.428 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction performAction] KSUpdateCheckAction starting update check for ticket(s): {(\n\t\t\n\t\t\tserverType=Omaha\n\t\t\turl=https://tools.google.com/service/update2\n\t\t\tcreationDate=2015-06-25 15:40:23\n\t\t\ttagPath=/Applications/Google Chrome.app/Contents/Info.plist\n\t\t\ttagKey=KSChannelID\n\t\t\tbrandPath=/Users/tsg/Library/Google/Google Chrome Brand.plist\n\t\t\tbrandKey=KSBrandID\n\t\t\tversionPath=/Applications/Google Chrome.app/Contents/Info.plist\n\t\t\tversionKey=KSVersion\n\t\t\tcohort=1:1y5:gy3@0.05\n\t\t\tcohortName=Stable\n\t\t\tticketVersion=1\n\t\t>,\n\t\t\n\t\t\tserverType=Omaha\n\t\t\turl=https://tools.google.com/service/update2\n\t\t\tcreationDate=2015-09-11 20:38:12\n\t\t\tticketVersion=1\n\t\t>\n\t)}\n\tUsing server: \n\t>", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -87,6 +102,9 @@ "message": "2016-12-13 11:35:28.446 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] +[KSCodeSigningVerification verifyBundle:applicationId:error:] KSCodeSigningVerification verifying code signing for '/Applications/Google Chrome.app' with the requirement 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU]=\"EQHXZ8M8AV\" and (identifier=\"com.google.Chrome\")'", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -101,6 +119,9 @@ "message": "2016-12-13 11:35:29.430 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] +[KSCodeSigningVerification verifyBundle:applicationId:error:] KSCodeSigningVerification verifying code signing for '/Applications/Google Drive.app' with the requirement 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU]=\"EQHXZ8M8AV\" and (identifier=\"com.google.GoogleDrive\")'", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -118,6 +139,9 @@ "message": "2016-12-13 11:35:30.115 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction performAction] KSUpdateCheckAction running KSServerUpdateRequest: \n\t\turl=\"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"\n\t\tfallbackURLs=(\n\t\t\thttp://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1617080069\n\t\t)\n\t\trunningFetchers=0\n\t\ttickets=2\n\t\tbody=\n\t\t\t\n\t\t\t\n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t\n\t\theaders={\n\t\t\t\"X-GoogleUpdate-Interactivity\" = bg;\n\t\t}\n\t>", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -132,6 +156,9 @@ "message": "2016-12-13 11:35:30.116 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher start fetch from URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -146,6 +173,9 @@ "message": "2016-12-13 11:35:30.117 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) launchedHelperTaskForToolPath:error:] KSOutOfProcessFetcher launched '/Users/tsg/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/ksfetch' with process id: 21414", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -160,6 +190,9 @@ "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher sending both request and download file location to the helper.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -174,6 +207,9 @@ "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] KSSendAllDataToHelper() KSHelperTool wrote 2383 bytes to the helper input.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -188,6 +224,9 @@ "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] Closing the file handle.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -202,6 +241,9 @@ "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher fetching from URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -216,6 +258,9 @@ "message": "2016-12-13 11:35:30.149 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] KSHelperReceiveAllData() KSHelperTool read 2383 bytes from stdin.", "process.name": "ksfetch", "process.pid": 21414, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -230,6 +275,9 @@ "message": "2016-12-13 11:35:30.151 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher received a request: { URL: https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822 }", "process.name": "ksfetch", "process.pid": 21414, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -244,6 +292,9 @@ "message": "2016-12-13 11:35:30.151 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher received a download path: /tmp/KSOutOfProcessFetcher.QTqOLkktQz/download", "process.name": "ksfetch", "process.pid": 21414, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -258,6 +309,9 @@ "message": "2016-12-13 11:35:30.152 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() ksfetch fetching URL ( { URL: https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822 }) to folder:/tmp/KSOutOfProcessFetcher.QTqOLkktQz/download", "process.name": "ksfetch", "process.pid": 21414, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -272,6 +326,9 @@ "message": "2016-12-13 11:35:30.152 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Setting up download file handles...", "process.name": "ksfetch", "process.pid": 21414, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -286,6 +343,9 @@ "message": "2016-12-13 11:35:30.348 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] -[FetchDelegate fetcher:finishedWithData:] Fetcher downloaded successfully data of length: 0", "process.name": "ksfetch", "process.pid": 21414, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -300,6 +360,9 @@ "message": "2016-12-13 11:35:30.348 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() ksfetch done fetching.", "process.name": "ksfetch", "process.pid": 21414, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -314,6 +377,9 @@ "message": "2016-12-13 11:35:30.351 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher is exiting.", "process.name": "ksfetch", "process.pid": 21414, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -331,6 +397,9 @@ "message": "2016-12-13 11:35:30.354 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) helperErrorAvailable:] KSOutOfProcessFetcher helper tool raw STDERR:\n\t:\t<>", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -345,6 +414,9 @@ "message": "2016-12-13 11:35:30.354 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) helperDidTerminate:] KSOutOfProcessFetcher fetch ended for URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -362,6 +434,9 @@ "message": "2016-12-13 11:35:30.355 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction(KSServerUpdateRequestDelegate) serverRequest:fetchedWithResponse:] KSUpdateCheckAction received KSServerUpdateResponse: \n\t\turl=\"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141&cup2key=6:1566315822\"\n\t\ttickets=2\n\t\tstatus=200\n\t\tdata=\n\t\t\t\n\t\t\t\n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t \n\t\t\t\n\t>", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -376,6 +451,9 @@ "message": "2016-12-13 11:35:30.356 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOmahaServer updateInfosForUpdateResponse:updateRequest:infoStore:upToDateTickets:updatedTickets:events:errors:] Response passed CUP validation.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -390,6 +468,9 @@ "message": "2016-12-13 11:35:30.381 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction(PrivateMethods) finishAction] KSUpdateCheckAction found updates: {( )}", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -404,6 +485,9 @@ "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSPrefetchAction performAction] KSPrefetchAction no updates to prefetch.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -418,6 +502,9 @@ "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSMultiUpdateAction performAction] KSSilentUpdateAction had no updates to apply.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -432,6 +519,9 @@ "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSMultiUpdateAction performAction] KSPromptAction had no updates to apply.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -446,6 +536,9 @@ "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp(KeystoneDelegate) updateEngineFinishedWithErrors:] Keystone finished: errors=0", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -460,6 +553,9 @@ "message": "2016-12-13 11:35:30.385 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine(PrivateMethods) updateFinish] KSUpdateEngine update processing complete.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -477,6 +573,9 @@ "message": "2016-12-13 11:35:31.142 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Done checking for updates for '\"All Products\"' using engine \n\t\t>>\n\t\tprocessor=\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t>\n\t\tdelegate=\n\t\tserverInfoStore=\n\t\terrors=0\n\t>", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -491,6 +590,9 @@ "message": "2016-12-13 11:35:31.302 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentUploader fetcher:finishedWithData:] Successfully uploaded stats to { URL: https://tools.google.com/service/update2 }", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -508,6 +610,9 @@ "message": "2016-12-13 11:35:31.431 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp uploadStats:] Successfully uploaded stats ", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -522,6 +627,9 @@ "message": "2016-12-13 11:35:32.508 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp(KeystoneThread) runKeystonesInThreadWithArg:] Finished with engine thread", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -536,6 +644,9 @@ "message": "2016-12-13 11:35:32.825 GoogleSoftwareUpdateAgent[21412/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp checkForUpdates] Finished update check.", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 21412, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -550,6 +661,9 @@ "message": "objc[85294]: __weak variable at 0x60000a8499d0 holds 0x2121212121212121 instead of 0x600006a22fa0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -564,6 +678,9 @@ "message": "objc[85294]: __weak variable at 0x60800f047240 holds 0x2121212121212121 instead of 0x608002231220. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -577,6 +694,9 @@ "log.offset": 15501, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21498])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -591,6 +711,9 @@ "message": "objc[85294]: __weak variable at 0x60000a256990 holds 0x2121212121212121 instead of 0x600006a22420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -605,6 +728,9 @@ "message": "objc[85294]: __weak variable at 0x6080096475d0 holds 0x2121212121212121 instead of 0x608004e21280. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -619,6 +745,9 @@ "message": "ASL Sender Statistics", "process.name": "syslogd", "process.pid": 46, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -632,6 +761,9 @@ "log.offset": 16312, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21556])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -645,6 +777,9 @@ "log.offset": 16527, "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", "process.name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -659,6 +794,9 @@ "message": "objc[85294]: __weak variable at 0x60000a85a860 holds 0x2121212121212121 instead of 0x600004a3b9a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -672,6 +810,9 @@ "log.offset": 16952, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21581])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -686,6 +827,9 @@ "message": "objc[85294]: __weak variable at 0x608009840580 holds 0x2121212121212121 instead of 0x608004a22940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -700,6 +844,9 @@ "message": "objc[85294]: __weak variable at 0x608009c5b700 holds 0x2121212121212121 instead of 0x608005830020. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -713,6 +860,9 @@ "log.offset": 17693, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21586])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -727,6 +877,9 @@ "message": "objc[85294]: __weak variable at 0x60800ee592d0 holds 0x2121212121212121 instead of 0x608005627220. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -741,6 +894,9 @@ "message": "ASL Sender Statistics", "process.name": "syslogd", "process.pid": 46, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -755,6 +911,9 @@ "message": "objc[85294]: __weak variable at 0x60000c648290 holds 0x2121212121212121 instead of 0x6000050242a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -768,6 +927,9 @@ "log.offset": 18504, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21589])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -782,6 +944,9 @@ "message": "objc[85294]: __weak variable at 0x600009840460 holds 0x2121212121212121 instead of 0x60000122e940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -795,6 +960,9 @@ "log.offset": 18982, "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", "process.name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -809,6 +977,9 @@ "message": "objc[85294]: __weak variable at 0x60000ee5b730 holds 0x2121212121212121 instead of 0x600007821c20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -822,6 +993,9 @@ "log.offset": 19407, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21946])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -836,6 +1010,9 @@ "message": "objc[85294]: __weak variable at 0x600006a49940 holds 0x2121212121212121 instead of 0x6000078202e0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -850,6 +1027,9 @@ "message": "ASL Sender Statistics", "process.name": "syslogd", "process.pid": 46, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -864,6 +1044,9 @@ "message": "Invoked notification with id: d63743fb-f17b-4e9e-97d0-88e0e7304682", "process.name": "Slack Helper", "process.pid": 55199, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -877,6 +1060,9 @@ "log.offset": 20078, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21966])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -891,6 +1077,9 @@ "message": "objc[85294]: __weak variable at 0x60800f043dc0 holds 0x2121212121212121 instead of 0x6080026228c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -904,6 +1093,9 @@ "log.offset": 20556, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21981])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -918,6 +1110,9 @@ "message": "objc[85294]: __weak variable at 0x608009a53600 holds 0x2121212121212121 instead of 0x608000629420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -932,6 +1127,9 @@ "message": "objc[85294]: __weak variable at 0x60800f259c30 holds 0x2121212121212121 instead of 0x608004a21c20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -946,6 +1144,9 @@ "message": "ASL Sender Statistics", "process.name": "syslogd", "process.pid": 46, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -959,6 +1160,9 @@ "log.offset": 21367, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22226])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -973,6 +1177,9 @@ "message": "objc[85294]: __weak variable at 0x60000c647d80 holds 0x2121212121212121 instead of 0x600006e3ee80. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -987,6 +1194,9 @@ "message": "objc[85294]: __weak variable at 0x60800f053a80 holds 0x2121212121212121 instead of 0x608007227ce0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1000,6 +1210,9 @@ "log.offset": 22108, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22241])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1014,6 +1227,9 @@ "message": "objc[85294]: __weak variable at 0x60000a64ce80 holds 0x2121212121212121 instead of 0x600006629940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1028,6 +1244,9 @@ "message": "objc[85294]: __weak variable at 0x60000a843580 holds 0x2121212121212121 instead of 0x600006629540. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1041,6 +1260,9 @@ "log.offset": 22849, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22254])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1055,6 +1277,9 @@ "message": "objc[85294]: __weak variable at 0x60800f45b910 holds 0x2121212121212121 instead of 0x608005822c40. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1069,6 +1294,9 @@ "message": "ASL Sender Statistics", "process.name": "syslogd", "process.pid": 46, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1082,6 +1310,9 @@ "log.offset": 23397, "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", "process.name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1096,6 +1327,9 @@ "message": "objc[85294]: __weak variable at 0x60000ea5edf0 holds 0x2121212121212121 instead of 0x600003a35a60. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1109,6 +1343,9 @@ "log.offset": 23822, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22265])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1123,6 +1360,9 @@ "message": "Invoked notification with id: 52bf37d9-0c4e-4276-8789-9fc7704bdf5b", "process.name": "Slack Helper", "process.pid": 55199, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1136,6 +1376,9 @@ "log.offset": 24160, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22292])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1150,6 +1393,9 @@ "message": "Invoked notification with id: c6c7e356-60a7-4b9e-a9b1-ecc2b8ad09f2", "process.name": "Slack Helper", "process.pid": 55199, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1164,6 +1410,9 @@ "message": "objc[85294]: __weak variable at 0x60800f246430 holds 0x2121212121212121 instead of 0x608001c26d00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1178,6 +1427,9 @@ "message": "objc[85294]: __weak variable at 0x60800c85fd80 holds 0x2121212121212121 instead of 0x608005a3a420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1192,6 +1444,9 @@ "message": "ASL Sender Statistics", "process.name": "syslogd", "process.pid": 46, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1205,6 +1460,9 @@ "log.offset": 25094, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22305])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1219,6 +1477,9 @@ "message": "objc[85294]: __weak variable at 0x600006452400 holds 0x2121212121212121 instead of 0x60000763bac0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1233,6 +1494,9 @@ "message": "2016-12-13 12:35:56.416 GoogleSoftwareUpdateAgent[22318/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp setupLoggerOutput] Agent settings: ", "process.name": "GoogleSoftwareUpdateAgent", "process.pid": 22318, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1246,6 +1510,9 @@ "log.offset": 26456, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22324])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1260,6 +1527,9 @@ "message": "objc[85294]: __weak variable at 0x60800f24d0f0 holds 0x2121212121212121 instead of 0x608007423ee0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1274,6 +1544,9 @@ "message": "Invoked notification with id: aa608788-d049-4d1a-9112-521c71702371", "process.name": "Slack Helper", "process.pid": 55199, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1287,6 +1560,9 @@ "log.offset": 27057, "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", "process.name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1301,6 +1577,9 @@ "message": "Invoked notification with id: d75f9ec1-a8fd-41c2-a45e-6df2952f0702", "process.name": "Slack Helper", "process.pid": 55199, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1314,6 +1593,9 @@ "log.offset": 27342, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22336])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1328,6 +1610,9 @@ "message": "objc[85294]: __weak variable at 0x60800a2535a0 holds 0x2121212121212121 instead of 0x608003828e20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1342,6 +1627,9 @@ "message": "ASL Sender Statistics", "process.name": "syslogd", "process.pid": 46, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1356,6 +1644,9 @@ "message": "objc[85294]: __weak variable at 0x60800f241d50 holds 0x2121212121212121 instead of 0x60800562f380. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1369,6 +1660,9 @@ "log.offset": 28153, "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process.name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22348])", + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1383,6 +1677,9 @@ "message": "objc[85294]: __weak variable at 0x60000c444450 holds 0x2121212121212121 instead of 0x600007237f00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" }, { @@ -1397,6 +1694,9 @@ "message": "objc[85294]: __weak variable at 0x60000c4424a0 holds 0x2121212121212121 instead of 0x600007026520. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process.name": "Google Chrome", "process.pid": 85294, + "related.hosts": [ + "a-mac-with-esc-key" + ], "service.type": "system" } ] \ No newline at end of file diff --git a/filebeat/module/system/syslog/test/suse-syslog.log-expected.json b/filebeat/module/system/syslog/test/suse-syslog.log-expected.json index 48cbc44161b..4090efed2e7 100644 --- a/filebeat/module/system/syslog/test/suse-syslog.log-expected.json +++ b/filebeat/module/system/syslog/test/suse-syslog.log-expected.json @@ -11,6 +11,9 @@ "message": "Stopped target Basic System.", "process.name": "systemd", "process.pid": 4179, + "related.hosts": [ + "linux-sqrz" + ], "service.type": "system" }, { @@ -25,6 +28,9 @@ "message": "Stopped target Paths.", "process.name": "systemd", "process.pid": 4179, + "related.hosts": [ + "linux-sqrz" + ], "service.type": "system" } ] \ No newline at end of file diff --git a/filebeat/module/system/syslog/test/tz-offset.log-expected.json b/filebeat/module/system/syslog/test/tz-offset.log-expected.json index 2dfd146dedc..905d8cfd95d 100644 --- a/filebeat/module/system/syslog/test/tz-offset.log-expected.json +++ b/filebeat/module/system/syslog/test/tz-offset.log-expected.json @@ -13,6 +13,9 @@ "message": "shutting down for system halt", "process.name": "shutdown", "process.pid": 2649, + "related.hosts": [ + "rmbkmonitor04" + ], "service.type": "system" }, { @@ -28,6 +31,9 @@ "log.offset": 89, "message": "constraint_0_power_limit_uw exceeded.", "process.name": "thermald", + "related.hosts": [ + "rmbkmonitor04" + ], "service.type": "system" }, { @@ -43,6 +49,9 @@ "log.offset": 184, "message": "pam_unix(sudo-i:session): session opened for user root by userauth3(uid=0)", "process.name": "sudo", + "related.hosts": [ + "localhost" + ], "service.type": "system" } ] \ No newline at end of file From 331325c72440a9585b185ad6c39c815b0cf26182 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Thu, 17 Sep 2020 14:24:52 +0200 Subject: [PATCH 04/10] Add related.hosts to defender atp --- .../module/microsoft/defender_atp/config/atp.yml | 2 +- .../microsoft/defender_atp/ingest/pipeline.yml | 4 ++++ .../test/defender_atp-test.json.log-expected.json | 12 ++++++++++++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml b/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml index 5108ebdad07..f69e14d5f97 100644 --- a/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml +++ b/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml @@ -40,4 +40,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml b/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml index 392f3a441a7..b60beb7603b 100644 --- a/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml @@ -279,6 +279,10 @@ processors: field: related.hash value: '{{file.hash.sha256}}' if: ctx.file?.hash?.sha256 != null +- append: + field: related.hosts + value: '{{host.hostname}}' + if: ctx.host?.hostname != null ############# ## Cleanup ## diff --git a/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json b/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json index b7b2b12ff40..0423289d6ac 100644 --- a/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json +++ b/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json @@ -40,6 +40,9 @@ "observer.name": "WindowsDefenderAv", "observer.product": "Defender ATP", "observer.vendor": "Microsoft", + "related.hosts": [ + "testserver4" + ], "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.", "service.type": "microsoft", "tags": [ @@ -102,6 +105,9 @@ "b6d237154f2e528f0b503b58b025862d66b02b73", "a92056d772260b39a876d01552496b2f8b4610a0b1e084952fe1176784e2ce77" ], + "related.hosts": [ + "testserver4" + ], "related.user": [ "administrator1" ], @@ -157,6 +163,9 @@ "observer.name": "WindowsDefenderAtp", "observer.product": "Defender ATP", "observer.vendor": "Microsoft", + "related.hosts": [ + "testserver4" + ], "related.user": [ "administrator1" ], @@ -215,6 +224,9 @@ "ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281", "fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356" ], + "related.hosts": [ + "testserver4" + ], "rule.description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.", "service.type": "microsoft", "tags": [ From 8b753fdc21099ae593eba99a8663a43027216e88 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Fri, 18 Sep 2020 08:31:31 +0200 Subject: [PATCH 05/10] Add related.hosts to cisco --- .../module/cisco/asa/config/input.yml | 2 +- .../additional_messages.log-expected.json | 266 ++++++++++++ .../cisco/asa/test/asa-fix.log-expected.json | 20 + .../cisco/asa/test/asa.log-expected.json | 400 ++++++++++++++++++ .../cisco/asa/test/filtered.log-expected.json | 8 + .../asa/test/hostnames.log-expected.json | 10 + .../cisco/asa/test/not-ip.log-expected.json | 12 + .../cisco/asa/test/sample.log-expected.json | 61 +++ .../module/cisco/ftd/config/input.yml | 2 +- .../cisco/ftd/test/asa-fix.log-expected.json | 16 + .../cisco/ftd/test/asa.log-expected.json | 400 ++++++++++++++++++ .../cisco/ftd/test/dns.log-expected.json | 84 ++++ .../cisco/ftd/test/filtered.log-expected.json | 4 + .../ftd/test/intrusion.log-expected.json | 16 + .../ftd/test/no-type-id.log-expected.json | 16 + .../cisco/ftd/test/not-ip.log-expected.json | 12 + .../cisco/ftd/test/sample.log-expected.json | 113 +++++ .../security-connection.log-expected.json | 40 ++ .../security-file-malware.log-expected.json | 40 ++ .../security-malware-site.log-expected.json | 4 + .../module/cisco/ios/config/input.yml | 2 +- .../module/cisco/meraki/config/input.yml | 2 +- .../module/cisco/meraki/ingest/pipeline.yml | 8 + .../meraki/test/generated.log-expected.json | 97 +++-- .../module/cisco/nexus/config/input.yml | 2 +- .../module/cisco/nexus/ingest/pipeline.yml | 8 + .../cisco/shared/ingest/asa-ftd-pipeline.yml | 16 + 27 files changed, 1612 insertions(+), 49 deletions(-) diff --git a/x-pack/filebeat/module/cisco/asa/config/input.yml b/x-pack/filebeat/module/cisco/asa/config/input.yml index 0cffa76a01f..b5271fe8598 100644 --- a/x-pack/filebeat/module/cisco/asa/config/input.yml +++ b/x-pack/filebeat/module/cisco/asa/config/input.yml @@ -23,4 +23,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json index 8d8b28fe30f..8c9bf28fee0 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -40,6 +40,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.10.10.10", "192.168.2.2" @@ -95,6 +99,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.10.10.10", "192.168.2.2" @@ -140,6 +148,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "192.168.2.2", "10.10.10.10" @@ -184,6 +196,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "192.168.2.2" ], @@ -223,6 +239,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "192.168.2.2" ], @@ -265,6 +285,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "192.168.2.2", "10.10.10.10" @@ -317,6 +341,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.10.10.10", "192.168.2.2" @@ -370,6 +398,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.192.18.4", "10.192.70.66" @@ -415,6 +447,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "192.168.2.2", "10.10.10.10" @@ -463,6 +499,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "192.168.2.2", "10.192.18.4" @@ -501,6 +541,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -536,6 +580,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -574,6 +622,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.10.10.10", "192.168.2.2" @@ -615,6 +667,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.10.10.10" ], @@ -657,6 +713,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.10.10.10" ], @@ -699,6 +759,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.192.46.90", "10.10.10.10" @@ -743,6 +807,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "192.168.2.2", "10.10.10.10" @@ -796,6 +864,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.10.10.10", "192.168.2.2" @@ -850,6 +922,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "192.168.2.2", "10.10.10.10" @@ -902,6 +978,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.10.10.10", "192.168.2.2" @@ -949,6 +1029,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.10.10.10", "192.168.2.2" @@ -995,6 +1079,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.10.10.10", "192.168.2.2" @@ -1043,6 +1131,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "192.168.2.2", "10.10.10.10" @@ -1105,6 +1197,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.10.10.10", "192.186.2.2" @@ -1159,6 +1255,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.10.10.10", "192.168.2.2" @@ -1214,6 +1314,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.10.10.10", "192.168.2.2" @@ -1265,6 +1369,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.10.10.10", "192.168.2.2" @@ -1311,6 +1419,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "192.168.2.2", "10.10.10.10" @@ -1358,6 +1470,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "192.168.2.2", "10.10.10.10" @@ -1403,6 +1519,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "192.168.2.2", "10.10.10.10" @@ -1448,6 +1568,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "192.168.2.2", "10.10.10.10" @@ -1493,6 +1617,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "192.168.2.2", "10.10.10.10" @@ -1531,6 +1659,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -1562,6 +1694,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -1595,6 +1731,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -1628,6 +1768,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -1671,6 +1815,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "192.168.2.2", "10.10.10.10" @@ -1721,6 +1869,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "192.168.2.2", "10.10.10.10" @@ -1759,6 +1911,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -1790,6 +1946,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -1828,6 +1988,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.10.10.10", "192.168.2.2" @@ -1866,6 +2030,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -1897,6 +2065,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -1939,6 +2111,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.10.10.10", "10.10.10.10" @@ -1983,6 +2159,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -2025,6 +2205,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.10.10.10", "10.10.10.10" @@ -2072,6 +2256,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.10.10.10", "192.168.2.2" @@ -2114,6 +2302,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.20.30.40", "10.20.30.40" @@ -2156,6 +2348,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.20.30.40", "10.20.30.40" @@ -2198,6 +2394,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.20.30.40", "10.20.30.40" @@ -2240,6 +2440,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.20.30.40", "10.20.30.40" @@ -2302,6 +2506,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "1.2.3.4", "2.3.4.5" @@ -2359,6 +2567,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.10.10.2", "192.168.2.2" @@ -2418,6 +2630,11 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01", + "somedomainname.local" + ], "related.ip": [ "195.122.12.242" ], @@ -2456,6 +2673,11 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01", + "console" + ], "service.type": "cisco", "source.address": "console", "source.domain": "console", @@ -2491,6 +2713,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.10.0.87" ], @@ -2530,6 +2756,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -2568,6 +2798,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.10.1.212", "10.10.1.254" @@ -2609,6 +2843,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.10.0.87" ], @@ -2652,6 +2890,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.10.0.87", "10.10.1.254" @@ -2693,6 +2935,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "10.10.0.87" ], @@ -2729,6 +2975,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "91.240.17.178" ], @@ -2789,6 +3039,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "91.240.17.178" ], @@ -2826,6 +3080,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "8.8.8.8" ], @@ -2869,6 +3127,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "8.8.8.8" ], @@ -2928,6 +3190,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "dev01", + "dev01" + ], "related.ip": [ "104.46.88.19", "195.74.114.34" diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json index 90ec4ed3a8f..343dbf34315 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -40,6 +40,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "SNL-ASA-VPN-A01", + "SNL-ASA-VPN-A01" + ], "related.ip": [ "10.123.123.123", "10.233.123.123" @@ -89,6 +93,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "SNL-ASA-VPN-A01", + "SNL-ASA-VPN-A01" + ], "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -187,6 +195,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "SNL-ASA-VPN-A01", + "SNL-ASA-VPN-A01" + ], "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -229,6 +241,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "SNL-ASA-VPN-A01", + "SNL-ASA-VPN-A01" + ], "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -274,6 +290,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "SNL-ASA-VPN-A01", + "SNL-ASA-VPN-A01" + ], "related.ip": [ "fe80::1ff:fe23:4567:890a" ], diff --git a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json index 18ea450c55f..5f584e4ad8c 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json @@ -37,6 +37,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -94,6 +98,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.205.104", "172.31.98.44" @@ -151,6 +159,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.211.242", "172.31.98.44" @@ -208,6 +220,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.211.242", "172.31.98.44" @@ -265,6 +281,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.185.90", "172.31.98.44" @@ -322,6 +342,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.185.90", "172.31.98.44" @@ -379,6 +403,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.160.197", "172.31.98.44" @@ -436,6 +464,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.205.14", "172.31.98.44" @@ -493,6 +525,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.124.33", "172.31.98.44" @@ -550,6 +586,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.35.9", "172.31.98.44" @@ -607,6 +647,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.211.242", "172.31.98.44" @@ -664,6 +708,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.218.21", "172.31.98.44" @@ -721,6 +769,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.198.27", "172.31.98.44" @@ -778,6 +830,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.198.27", "172.31.98.44" @@ -835,6 +891,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.202.211", "172.31.98.44" @@ -892,6 +952,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.124.15", "172.31.98.44" @@ -949,6 +1013,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.124.15", "172.31.98.44" @@ -1006,6 +1074,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.209.247", "172.31.98.44" @@ -1063,6 +1135,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.35.162", "172.31.98.44" @@ -1114,6 +1190,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -1171,6 +1251,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.80.32", "172.31.98.44" @@ -1228,6 +1312,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.80.32", "172.31.98.44" @@ -1285,6 +1373,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.252.6", "172.31.98.44" @@ -1342,6 +1434,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.252.6", "172.31.98.44" @@ -1393,6 +1489,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -1450,6 +1550,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.252.226", "172.31.98.44" @@ -1501,6 +1605,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -1558,6 +1666,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.252.226", "172.31.98.44" @@ -1615,6 +1727,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.238.126", "172.31.98.44" @@ -1672,6 +1788,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.93.51", "172.31.98.44" @@ -1729,6 +1849,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.238.126", "172.31.98.44" @@ -1786,6 +1910,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.93.51", "172.31.98.44" @@ -1837,6 +1965,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -1894,6 +2026,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.225.103", "172.31.98.44" @@ -1945,6 +2081,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -2002,6 +2142,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.240.126", "172.31.98.44" @@ -2059,6 +2203,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.44.45", "172.31.98.44" @@ -2116,6 +2264,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.240.126", "172.31.98.44" @@ -2173,6 +2325,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.44.45", "172.31.98.44" @@ -2224,6 +2380,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -2281,6 +2441,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.179.219", "172.31.98.44" @@ -2338,6 +2502,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.157.232", "172.31.98.44" @@ -2395,6 +2563,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.178.133", "172.31.98.44" @@ -2452,6 +2624,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.157.232", "172.31.98.44" @@ -2509,6 +2685,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.178.133", "172.31.98.44" @@ -2560,6 +2740,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -2617,6 +2801,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.133.112", "172.31.98.44" @@ -2674,6 +2862,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.133.112", "172.31.98.44" @@ -2731,6 +2923,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.204.197", "172.31.98.44" @@ -2788,6 +2984,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.157.232", "172.31.98.44" @@ -2845,6 +3045,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.204.197", "172.31.98.44" @@ -2896,6 +3100,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -2953,6 +3161,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.128.3", "172.31.98.44" @@ -3004,6 +3216,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -3061,6 +3277,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.128.3", "172.31.98.44" @@ -3112,6 +3332,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -3169,6 +3393,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.128.3", "172.31.98.44" @@ -3226,6 +3454,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.100.4", "172.31.98.44" @@ -3283,6 +3515,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.100.4", "172.31.98.44" @@ -3334,6 +3570,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -3391,6 +3631,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.198.40", "172.31.98.44" @@ -3442,6 +3686,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -3499,6 +3747,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.198.40", "172.31.98.44" @@ -3556,6 +3808,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.1.107", "172.31.98.44" @@ -3613,6 +3869,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.198.40", "172.31.98.44" @@ -3664,6 +3924,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -3721,6 +3985,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.198.40", "172.31.98.44" @@ -3778,6 +4046,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.1.107", "172.31.98.44" @@ -3829,6 +4101,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -3886,6 +4162,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.192.44", "172.31.98.44" @@ -3928,6 +4208,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -3972,6 +4256,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.156.80", "100.66.98.44" @@ -4029,6 +4317,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.156.80" @@ -4071,6 +4363,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -4106,6 +4402,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -4141,6 +4441,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -4176,6 +4480,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -4211,6 +4519,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -4246,6 +4558,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -4296,6 +4612,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.115.46", "172.31.156.80" @@ -4353,6 +4673,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.156.80" @@ -4404,6 +4728,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.156.80", "100.66.98.44" @@ -4461,6 +4789,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.115.46", "172.31.156.80" @@ -4515,6 +4847,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4569,6 +4905,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4623,6 +4963,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4677,6 +5021,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4731,6 +5079,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4785,6 +5137,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4839,6 +5195,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4893,6 +5253,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4947,6 +5311,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -5001,6 +5369,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -5055,6 +5427,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -5109,6 +5485,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -5163,6 +5543,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -5214,6 +5598,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -5271,6 +5659,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.205.99", "172.31.98.44" @@ -5322,6 +5714,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -5379,6 +5775,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.14.30", "172.31.98.44" diff --git a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json index e0c78694ae9..009a7dc1c2d 100644 --- a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json @@ -26,6 +26,10 @@ "observer.vendor": "Cisco", "process.name": "asa", "process.pid": 1234, + "related.hosts": [ + "beats", + "beats" + ], "service.type": "cisco", "tags": [ "cisco-asa", @@ -69,6 +73,10 @@ "observer.vendor": "Cisco", "process.name": "asa", "process.pid": 1234, + "related.hosts": [ + "beats", + "beats" + ], "related.ip": [ "10.13.12.11", "192.168.33.12" diff --git a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json index 7d010afe62c..d64160084c2 100644 --- a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json @@ -31,6 +31,12 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "localhost", + "localhost", + "target.destination.hostname.local", + "Prod-host.name.addr" + ], "service.type": "cisco", "source.domain": "Prod-host.name.addr", "source.nat.ip": "10.0.55.66", @@ -73,6 +79,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "MYHOSTNAME", + "MYHOSTNAME" + ], "related.ip": [ "192.0.2.134", "192.0.2.15" diff --git a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json index 74097780ab2..34425411699 100644 --- a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json @@ -36,6 +36,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244" + ], "related.ip": [ "203.0.113.42" ], @@ -82,6 +85,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "192.168.132.46", "172.24.177.29" @@ -140,6 +147,11 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "localhost", + "localhost", + "example.org" + ], "related.ip": [ "10.10.10.1", "172.24.177.3" diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index d27f89ab5b9..7999c72b667 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -189,6 +189,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "INT-FW01", + "INT-FW01" + ], "related.ip": [ "172.29.2.101", "192.0.2.10" @@ -241,6 +245,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "INT-FW01", + "INT-FW01" + ], "related.ip": [ "172.29.2.3", "192.0.2.57" @@ -700,6 +708,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "FJSG2NRFW01", + "FJSG2NRFW01" + ], "related.ip": [ "192.168.132.46", "172.24.177.29" @@ -2154,6 +2166,9 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "", + "related.hosts": [ + "OCSP_Server" + ], "related.ip": [ "192.0.2.222" ], @@ -2207,6 +2222,9 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "", + "related.hosts": [ + "OCSP_Server" + ], "related.ip": [ "192.0.2.222" ], @@ -2772,6 +2790,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01", + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2817,6 +2839,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01", + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2862,6 +2888,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01", + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2907,6 +2937,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01", + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2952,6 +2986,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01", + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2997,6 +3035,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01", + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -3042,6 +3084,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01", + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.168.1.255" @@ -3087,6 +3133,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01", + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.168.1.255" @@ -3138,6 +3188,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01", + "GIFRCHN01" + ], "related.ip": [ "192.0.2.95", "10.32.112.125" @@ -3186,6 +3240,10 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01", + "GIFRCHN01" + ], "related.ip": [ "10.2.3.5" ], @@ -3285,6 +3343,9 @@ "observer.product": "asa", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "bad.example.com" + ], "related.ip": [ "10.1.1.45", "192.88.99.129" diff --git a/x-pack/filebeat/module/cisco/ftd/config/input.yml b/x-pack/filebeat/module/cisco/ftd/config/input.yml index a505d3030eb..4892400a8b9 100644 --- a/x-pack/filebeat/module/cisco/ftd/config/input.yml +++ b/x-pack/filebeat/module/cisco/ftd/config/input.yml @@ -22,4 +22,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json index 21dc57d3315..8920b7b5e0f 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json @@ -41,6 +41,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "SNL-ASA-VPN-A01", + "SNL-ASA-VPN-A01" + ], "related.ip": [ "10.123.123.123", "10.233.123.123" @@ -91,6 +95,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "SNL-ASA-VPN-A01", + "SNL-ASA-VPN-A01" + ], "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -191,6 +199,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "SNL-ASA-VPN-A01", + "SNL-ASA-VPN-A01" + ], "related.ip": [ "10.123.123.123", "10.123.123.123" @@ -234,6 +246,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "SNL-ASA-VPN-A01", + "SNL-ASA-VPN-A01" + ], "related.ip": [ "10.123.123.123", "10.123.123.123" diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json index b1b3a633ad1..04449c7001c 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json @@ -36,6 +36,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -92,6 +96,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.205.104", "172.31.98.44" @@ -148,6 +156,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.211.242", "172.31.98.44" @@ -204,6 +216,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.211.242", "172.31.98.44" @@ -260,6 +276,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.185.90", "172.31.98.44" @@ -316,6 +336,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.185.90", "172.31.98.44" @@ -372,6 +396,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.160.197", "172.31.98.44" @@ -428,6 +456,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.205.14", "172.31.98.44" @@ -484,6 +516,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.124.33", "172.31.98.44" @@ -540,6 +576,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.35.9", "172.31.98.44" @@ -596,6 +636,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.211.242", "172.31.98.44" @@ -652,6 +696,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.218.21", "172.31.98.44" @@ -708,6 +756,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.198.27", "172.31.98.44" @@ -764,6 +816,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.198.27", "172.31.98.44" @@ -820,6 +876,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.202.211", "172.31.98.44" @@ -876,6 +936,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.124.15", "172.31.98.44" @@ -932,6 +996,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.124.15", "172.31.98.44" @@ -988,6 +1056,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.209.247", "172.31.98.44" @@ -1044,6 +1116,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.35.162", "172.31.98.44" @@ -1094,6 +1170,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -1150,6 +1230,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.80.32", "172.31.98.44" @@ -1206,6 +1290,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.80.32", "172.31.98.44" @@ -1262,6 +1350,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.252.6", "172.31.98.44" @@ -1318,6 +1410,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.252.6", "172.31.98.44" @@ -1368,6 +1464,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -1424,6 +1524,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.252.226", "172.31.98.44" @@ -1474,6 +1578,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -1530,6 +1638,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.252.226", "172.31.98.44" @@ -1586,6 +1698,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.238.126", "172.31.98.44" @@ -1642,6 +1758,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.93.51", "172.31.98.44" @@ -1698,6 +1818,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.238.126", "172.31.98.44" @@ -1754,6 +1878,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.93.51", "172.31.98.44" @@ -1804,6 +1932,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -1860,6 +1992,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.225.103", "172.31.98.44" @@ -1910,6 +2046,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -1966,6 +2106,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.240.126", "172.31.98.44" @@ -2022,6 +2166,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.44.45", "172.31.98.44" @@ -2078,6 +2226,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.240.126", "172.31.98.44" @@ -2134,6 +2286,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.44.45", "172.31.98.44" @@ -2184,6 +2340,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -2240,6 +2400,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.179.219", "172.31.98.44" @@ -2296,6 +2460,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.157.232", "172.31.98.44" @@ -2352,6 +2520,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.178.133", "172.31.98.44" @@ -2408,6 +2580,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.157.232", "172.31.98.44" @@ -2464,6 +2640,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.178.133", "172.31.98.44" @@ -2514,6 +2694,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -2570,6 +2754,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.133.112", "172.31.98.44" @@ -2626,6 +2814,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.133.112", "172.31.98.44" @@ -2682,6 +2874,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.204.197", "172.31.98.44" @@ -2738,6 +2934,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.157.232", "172.31.98.44" @@ -2794,6 +2994,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.204.197", "172.31.98.44" @@ -2844,6 +3048,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -2900,6 +3108,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.128.3", "172.31.98.44" @@ -2950,6 +3162,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -3006,6 +3222,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.128.3", "172.31.98.44" @@ -3056,6 +3276,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -3112,6 +3336,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.128.3", "172.31.98.44" @@ -3168,6 +3396,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.100.4", "172.31.98.44" @@ -3224,6 +3456,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.100.4", "172.31.98.44" @@ -3274,6 +3510,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -3330,6 +3570,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.198.40", "172.31.98.44" @@ -3380,6 +3624,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -3436,6 +3684,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.198.40", "172.31.98.44" @@ -3492,6 +3744,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.1.107", "172.31.98.44" @@ -3548,6 +3804,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.198.40", "172.31.98.44" @@ -3598,6 +3858,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -3654,6 +3918,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.198.40", "172.31.98.44" @@ -3710,6 +3978,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.1.107", "172.31.98.44" @@ -3760,6 +4032,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -3816,6 +4092,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.192.44", "172.31.98.44" @@ -3857,6 +4137,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-ftd", @@ -3900,6 +4184,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.156.80", "100.66.98.44" @@ -3956,6 +4244,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.156.80" @@ -3997,6 +4289,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-ftd", @@ -4031,6 +4327,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-ftd", @@ -4065,6 +4365,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-ftd", @@ -4099,6 +4403,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-ftd", @@ -4133,6 +4441,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-ftd", @@ -4167,6 +4479,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "service.type": "cisco", "tags": [ "cisco-ftd", @@ -4216,6 +4532,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.115.46", "172.31.156.80" @@ -4272,6 +4592,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.156.80" @@ -4322,6 +4646,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.156.80", "100.66.98.44" @@ -4378,6 +4706,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.115.46", "172.31.156.80" @@ -4431,6 +4763,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4484,6 +4820,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4537,6 +4877,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4590,6 +4934,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4643,6 +4991,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4696,6 +5048,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4749,6 +5105,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4802,6 +5162,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4855,6 +5219,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4908,6 +5276,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -4961,6 +5333,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -5014,6 +5390,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -5067,6 +5447,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.19.254", "172.31.98.44" @@ -5117,6 +5501,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -5173,6 +5561,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.205.99", "172.31.98.44" @@ -5223,6 +5615,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "172.31.98.44", "100.66.98.44" @@ -5279,6 +5675,10 @@ "observer.vendor": "Cisco", "process.name": "CiscoASA", "process.pid": 999, + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "100.66.14.30", "172.31.98.44" diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json index ae2b729ada8..bd0a28f0957 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json @@ -82,6 +82,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -187,6 +191,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -290,6 +298,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -395,6 +407,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -499,6 +515,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -602,6 +622,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -708,6 +732,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -811,6 +839,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -915,6 +947,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1020,6 +1056,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1126,6 +1166,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "205.251.196.144" @@ -1225,6 +1269,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1329,6 +1377,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "9.9.9.9" @@ -1432,6 +1484,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "9.9.9.9" @@ -1536,6 +1592,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "9.9.9.9" @@ -1641,6 +1701,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1744,6 +1808,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1847,6 +1915,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -1950,6 +2022,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -2051,6 +2127,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -2156,6 +2236,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" diff --git a/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json index 2364b5ed1a1..eb9e4027780 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json @@ -27,6 +27,10 @@ "observer.vendor": "Cisco", "process.name": "asa", "process.pid": 1234, + "related.hosts": [ + "beats", + "beats" + ], "service.type": "cisco", "tags": [ "cisco-ftd", diff --git a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json index 83616ceec8b..384dda1c9b3 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json @@ -62,6 +62,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "firepower", + "firepower" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -144,6 +148,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "firepower", + "firepower" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -222,6 +230,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "firepower", + "firepower" + ], "related.ip": [ "10.0.100.30", "10.0.1.20" @@ -300,6 +312,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "firepower", + "firepower" + ], "related.ip": [ "10.0.100.30", "10.0.1.20" diff --git a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json index e2939392ef5..0602f5d1189 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json @@ -37,6 +37,10 @@ "observer.vendor": "Cisco", "process.name": "ftd", "process.pid": 1234, + "related.hosts": [ + "beats", + "beats" + ], "related.ip": [ "10.1.123.45", "10.8.12.47" @@ -81,6 +85,10 @@ "observer.vendor": "Cisco", "process.name": "ftd", "process.pid": 1234, + "related.hosts": [ + "beats", + "beats" + ], "service.type": "cisco", "tags": [ "cisco-ftd", @@ -120,6 +128,10 @@ "observer.vendor": "Cisco", "process.name": "ftd", "process.pid": 1234, + "related.hosts": [ + "beats", + "beats" + ], "service.type": "cisco", "tags": [ "cisco-ftd", @@ -171,6 +183,10 @@ "observer.vendor": "Cisco", "process.name": "ftd", "process.pid": 1234, + "related.hosts": [ + "beats", + "beats" + ], "related.ip": [ "127.0.0.1", "192.168.3.33" diff --git a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json index 90fd65d46cd..6d075a79629 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json @@ -35,6 +35,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "WHAT-IS-THIS-A-HOSTNAME-192.0.2.244" + ], "related.ip": [ "203.0.113.42" ], @@ -80,6 +83,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "localhost", + "localhost" + ], "related.ip": [ "192.168.132.46", "172.24.177.29" @@ -137,6 +144,11 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "localhost", + "localhost", + "example.org" + ], "related.ip": [ "10.10.10.1", "172.24.177.3" diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json index 371218e511b..2afe4aeb62b 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json @@ -185,6 +185,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "INT-FW01", + "INT-FW01" + ], "related.ip": [ "172.29.2.101", "192.0.2.10" @@ -236,6 +240,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "INT-FW01", + "INT-FW01" + ], "related.ip": [ "172.29.2.3", "192.0.2.57" @@ -686,6 +694,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "FJSG2NRFW01", + "FJSG2NRFW01" + ], "related.ip": [ "192.168.132.46", "172.24.177.29" @@ -1959,6 +1971,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1", + "127.0.0.1" + ], "related.ip": [ "192.168.77.12", "10.0.13.13" @@ -2010,6 +2026,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1", + "127.0.0.1" + ], "related.ip": [ "192.168.1.33", "192.0.0.12" @@ -2061,6 +2081,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1", + "127.0.0.1" + ], "related.ip": [ "192.168.1.33", "192.0.0.12" @@ -2115,6 +2139,11 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1", + "127.0.0.1", + "OCSP_Server" + ], "related.ip": [ "192.0.2.222" ], @@ -2168,6 +2197,11 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1", + "127.0.0.1", + "OCSP_Server" + ], "related.ip": [ "192.0.2.222" ], @@ -2221,6 +2255,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1", + "127.0.0.1" + ], "related.ip": [ "192.0.2.222", "192.168.1.34" @@ -2275,6 +2313,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1", + "127.0.0.1" + ], "related.ip": [ "192.0.2.222", "192.168.1.35" @@ -2329,6 +2371,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1", + "127.0.0.1" + ], "related.ip": [ "192.0.2.222", "192.168.1.35" @@ -2375,6 +2421,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1", + "127.0.0.1" + ], "related.ip": [ "192.0.2.222", "192.168.1.34" @@ -2421,6 +2471,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1", + "127.0.0.1" + ], "related.ip": [ "192.0.2.222", "192.168.1.34" @@ -2472,6 +2526,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1", + "127.0.0.1" + ], "related.ip": [ "192.168.1.34", "192.0.0.12" @@ -2526,6 +2584,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1", + "127.0.0.1" + ], "related.ip": [ "192.0.2.222", "192.168.1.34" @@ -2580,6 +2642,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1", + "127.0.0.1" + ], "related.ip": [ "192.0.2.222", "192.168.1.34" @@ -2634,6 +2700,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "127.0.0.1", + "127.0.0.1" + ], "related.ip": [ "192.0.2.222", "10.10.10.10" @@ -2731,6 +2801,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01", + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2775,6 +2849,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01", + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2819,6 +2897,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01", + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2863,6 +2945,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01", + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.47" @@ -2907,6 +2993,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01", + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2951,6 +3041,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01", + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.88.99.57" @@ -2995,6 +3089,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01", + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.168.1.255" @@ -3039,6 +3137,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01", + "GIFRCHN01" + ], "related.ip": [ "0.0.0.0", "192.168.1.255" @@ -3089,6 +3191,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01", + "GIFRCHN01" + ], "related.ip": [ "192.0.2.95", "10.32.112.125" @@ -3136,6 +3242,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "GIFRCHN01", + "GIFRCHN01" + ], "related.ip": [ "10.2.3.5" ], @@ -3233,6 +3343,9 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "bad.example.com" + ], "related.ip": [ "10.1.1.45", "192.88.99.129" diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json index 7d48283bdaa..91ffa1c6ed5 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json @@ -65,6 +65,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "firepower", + "firepower" + ], "related.ip": [ "10.0.100.30", "10.0.1.20" @@ -154,6 +158,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "firepower", + "firepower" + ], "related.ip": [ "10.0.100.30", "10.0.1.20" @@ -251,6 +259,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "firepower", + "firepower" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -355,6 +367,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "firepower", + "firepower" + ], "related.ip": [ "10.0.1.20", "8.8.8.8" @@ -447,6 +463,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "firepower", + "firepower" + ], "related.ip": [ "10.0.1.20", "52.59.244.233" @@ -557,6 +577,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "firepower", + "firepower" + ], "related.ip": [ "10.0.1.20", "52.59.244.233" @@ -652,6 +676,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "firepower", + "firepower" + ], "related.ip": [ "10.0.1.20", "213.211.198.62" @@ -758,6 +786,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "firepower", + "firepower" + ], "related.ip": [ "10.0.1.20", "213.211.198.62" @@ -843,6 +875,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "firepower", + "firepower" + ], "related.ip": [ "10.0.100.30", "10.0.1.20" @@ -941,6 +977,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json index c9105b957ab..ec853ea1c76 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json @@ -51,6 +51,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -122,6 +126,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -193,6 +201,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -264,6 +276,10 @@ "observer.product": "ftd", "observer.type": "firewall", "observer.vendor": "Cisco", + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -344,6 +360,10 @@ "related.hash": [ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -424,6 +444,10 @@ "related.hash": [ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -508,6 +532,10 @@ "related.hash": [ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], + "related.hosts": [ + "siem-ftd", + "siem-ftd" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -600,6 +628,10 @@ "related.hash": [ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], + "related.hosts": [ + "firepower", + "firepower" + ], "related.ip": [ "10.0.1.20", "213.211.198.62" @@ -683,6 +715,10 @@ "related.hash": [ "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" ], + "related.hosts": [ + "firepower", + "firepower" + ], "related.ip": [ "10.0.1.20", "10.0.100.30" @@ -776,6 +812,10 @@ "related.hash": [ "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" ], + "related.hosts": [ + "firepower", + "firepower" + ], "related.ip": [ "10.0.1.20", "18.197.225.123" diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json index 2fe9194946a..23a2d983b72 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json @@ -86,6 +86,10 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "process.name": "Alerts", + "related.hosts": [ + "CISCO-SENSOR-3D", + "CISCO-SENSOR-3D" + ], "related.ip": [ "3.3.3.3", "2.2.2.2" diff --git a/x-pack/filebeat/module/cisco/ios/config/input.yml b/x-pack/filebeat/module/cisco/ios/config/input.yml index 2ed8ae959c2..e3e336cbe03 100644 --- a/x-pack/filebeat/module/cisco/ios/config/input.yml +++ b/x-pack/filebeat/module/cisco/ios/config/input.yml @@ -23,7 +23,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 - script: lang: javascript id: cisco_ios diff --git a/x-pack/filebeat/module/cisco/meraki/config/input.yml b/x-pack/filebeat/module/cisco/meraki/config/input.yml index ccc2cd1a6af..be15aeb075c 100644 --- a/x-pack/filebeat/module/cisco/meraki/config/input.yml +++ b/x-pack/filebeat/module/cisco/meraki/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml index 6172ce75db7..68d79ecc8c8 100644 --- a/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml @@ -53,6 +53,14 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + if: ctx.host?.name != null + - append: + field: related.hosts + value: '{{host.hostname}}' + if: ctx.host?.hostname != null on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json index f8677343c20..7f0a2c6273d 100644 --- a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json @@ -57,8 +57,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.15.16.212", - "10.102.218.31" + "10.102.218.31", + "10.15.16.212" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -389,8 +389,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.163.72.17", - "10.74.237.180" + "10.74.237.180", + "10.163.72.17" ], "rsa.internal.event_desc": "remipsum security_event liq", "rsa.internal.messageid": "security_event", @@ -557,8 +557,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.187.77.245", - "10.88.231.224" + "10.88.231.224", + "10.187.77.245" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -831,8 +831,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.12.182.70", - "10.31.77.157" + "10.31.77.157", + "10.12.182.70" ], "rsa.internal.event_desc": "uiac security_event epte", "rsa.internal.messageid": "security_event", @@ -960,8 +960,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.247.30.212", - "10.66.89.5" + "10.66.89.5", + "10.247.30.212" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -1025,8 +1025,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.173.136.186", - "10.221.102.245" + "10.221.102.245", + "10.173.136.186" ], "rsa.internal.event_desc": "idestlab", "rsa.internal.messageid": "security_event", @@ -1142,8 +1142,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.0.200.27", - "10.183.44.198" + "10.183.44.198", + "10.0.200.27" ], "rsa.internal.event_desc": "uradi security_event tot", "rsa.internal.messageid": "security_event", @@ -1215,8 +1215,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.98.194.212", - "10.204.230.166" + "10.204.230.166", + "10.98.194.212" ], "rsa.counters.dclass_r1": "enimadmi", "rsa.internal.messageid": "events", @@ -1312,8 +1312,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.242.77.170", - "10.150.245.88" + "10.150.245.88", + "10.242.77.170" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1411,8 +1411,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.147.15.213", - "10.94.6.140" + "10.94.6.140", + "10.147.15.213" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1486,8 +1486,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.193.219.34", - "10.179.40.170" + "10.179.40.170", + "10.193.219.34" ], "rsa.counters.dclass_r1": "emip", "rsa.internal.messageid": "events", @@ -1791,6 +1791,9 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "remips188.api.invalid" + ], "related.ip": [ "10.40.101.224", "10.78.199.43" @@ -1938,8 +1941,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.122.204.151", - "10.148.211.222" + "10.148.211.222", + "10.122.204.151" ], "rsa.internal.event_desc": "umexercisecurity_event duntut", "rsa.internal.messageid": "security_event", @@ -2044,8 +2047,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.171.206.139", - "10.165.173.162" + "10.165.173.162", + "10.171.206.139" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2077,9 +2080,12 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "uames4985.mail.localdomain" + ], "related.ip": [ - "10.144.57.239", - "10.150.163.151" + "10.150.163.151", + "10.144.57.239" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2120,8 +2126,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.54.44.231", - "10.52.202.158" + "10.52.202.158", + "10.54.44.231" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2246,8 +2252,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.103.49.129", - "10.2.110.73" + "10.2.110.73", + "10.103.49.129" ], "rsa.counters.dclass_r1": "orumS", "rsa.internal.messageid": "events", @@ -2323,6 +2329,9 @@ "observer.product": "Meraki", "observer.type": "Wireless", "observer.vendor": "Cisco", + "related.hosts": [ + "lors2232.api.example" + ], "related.ip": [ "10.105.136.146", "10.46.217.155" @@ -2365,8 +2374,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.123.62.215", - "10.245.199.23" + "10.245.199.23", + "10.123.62.215" ], "rsa.db.index": "iusmodt", "rsa.internal.messageid": "flows", @@ -2428,8 +2437,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.16.230.121", - "10.196.176.243" + "10.196.176.243", + "10.16.230.121" ], "rsa.counters.dclass_r1": "velites", "rsa.internal.messageid": "events", @@ -2584,8 +2593,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.121.9.5", - "10.244.32.189" + "10.244.32.189", + "10.121.9.5" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2749,8 +2758,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.17.111.91", - "10.65.0.157" + "10.65.0.157", + "10.17.111.91" ], "rsa.db.index": "nostrum", "rsa.internal.messageid": "flows", @@ -2846,8 +2855,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.140.242.86", - "10.177.64.152" + "10.177.64.152", + "10.140.242.86" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -3018,8 +3027,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.254.96.130", - "10.247.118.132" + "10.247.118.132", + "10.254.96.130" ], "rsa.counters.dclass_r1": "ectet", "rsa.internal.messageid": "events", diff --git a/x-pack/filebeat/module/cisco/nexus/config/input.yml b/x-pack/filebeat/module/cisco/nexus/config/input.yml index 5608926d955..747a6cf0085 100644 --- a/x-pack/filebeat/module/cisco/nexus/config/input.yml +++ b/x-pack/filebeat/module/cisco/nexus/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml index ae975fb7e86..de033421186 100644 --- a/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml @@ -53,6 +53,14 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + if: ctx.host?.name != null + - append: + field: related.hosts + value: '{{host.hostname}}' + if: ctx.host?.hostname != null on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 7671bb649b9..a810eb52499 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -1547,6 +1547,22 @@ processors: field: related.hash value: "{{file.hash.sha256}}" if: "ctx?.file?.hash?.sha256 != null" + - append: + field: related.hosts + value: "{{host.hostname}}" + if: ctx.host?.hostname != null + - append: + field: related.hosts + value: "{{observer.hostname}}" + if: ctx.observer?.hostname != null + - append: + field: related.hosts + value: "{{destination.domain}}" + if: ctx.destination?.domain != null + - append: + field: related.hosts + value: "{{source.domain}}" + if: ctx.source?.domain != null on_failure: # Copy any fields under _temp_.cisco to its final destination. Those can help # with diagnosing the failure. From c63a99e4c03abe9e473b5b77c6c8c8fd718833c3 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Fri, 18 Sep 2020 08:31:39 +0200 Subject: [PATCH 06/10] Add related.hosts to suricata --- .../module/suricata/eve/ingest/pipeline.yml | 4 ++ .../eve/test/eve-alerts.log-expected.json | 60 +++++++++++++++++++ .../eve/test/eve-small.log-expected.json | 6 ++ 3 files changed, 70 insertions(+) diff --git a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml index 226b7f9c6c2..6811c4925e2 100644 --- a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml +++ b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml @@ -333,6 +333,10 @@ processors: field: file.x509.not_before value: '{{tls.server.not_before}}' ignore_empty_value: true + - append: + field: related.hosts + value: '{{url.domain}}' + if: ctx.url?.domain != null - remove: field: - suricata.eve.app_proto diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json index b7bc49cb9e0..68412b504dc 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-alerts.log-expected.json @@ -41,6 +41,9 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "example.net" + ], "related.ip": [ "192.168.1.146", "93.184.216.34" @@ -118,6 +121,9 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "example.net" + ], "related.ip": [ "192.168.1.146", "93.184.216.34" @@ -195,6 +201,9 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "example.net" + ], "related.ip": [ "192.168.1.146", "93.184.216.34" @@ -272,6 +281,9 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "example.org" + ], "related.ip": [ "192.168.1.146", "93.184.216.34" @@ -349,6 +361,9 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "example.org" + ], "related.ip": [ "192.168.1.146", "93.184.216.34" @@ -426,6 +441,9 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "example.org" + ], "related.ip": [ "192.168.1.146", "93.184.216.34" @@ -503,6 +521,9 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "security.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.88.152" @@ -580,6 +601,9 @@ "network.packets": 7, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -657,6 +681,9 @@ "network.packets": 11, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -734,6 +761,9 @@ "network.packets": 126, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "security.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.88.152" @@ -811,6 +841,9 @@ "network.packets": 185, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "security.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.88.152" @@ -888,6 +921,9 @@ "network.packets": 377, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "security.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.88.152" @@ -965,6 +1001,9 @@ "network.packets": 131, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -1042,6 +1081,9 @@ "network.packets": 210, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -1119,6 +1161,9 @@ "network.packets": 412, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -1196,6 +1241,9 @@ "network.packets": 504, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -1273,6 +1321,9 @@ "network.packets": 916, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -1350,6 +1401,9 @@ "network.packets": 921, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -1426,6 +1480,9 @@ "network.packets": 1503, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" @@ -1502,6 +1559,9 @@ "network.packets": 1654, "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "archive.ubuntu.com" + ], "related.ip": [ "192.168.1.146", "91.189.91.23" diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json index cbc0f39eb76..5d113c8d370 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json @@ -130,6 +130,9 @@ "network.community_id": "1:gjMiDGtS5SVvdwzjjQdAKGBrDA4=", "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "192.168.86.28" + ], "related.ip": [ "192.168.86.85", "192.168.86.28" @@ -182,6 +185,9 @@ "network.community_id": "1:XhhAO/Twj86+bD+1fV8FnpLIEDs=", "network.protocol": "http", "network.transport": "tcp", + "related.hosts": [ + "192.168.86.28" + ], "related.ip": [ "192.168.86.28", "192.168.86.85" From 5384df1a09c6b00478e91fa72d3ce8d77e24087c Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Fri, 18 Sep 2020 10:57:10 +0200 Subject: [PATCH 07/10] Use allow_duplicates: false to remove duplicate hosts --- .../osquery/result/ingest/pipeline.json | 3 +- .../module/system/auth/ingest/pipeline.yml | 1 + .../module/system/syslog/ingest/pipeline.yml | 1 + .../additional_messages.log-expected.json | 66 --- .../cisco/asa/test/asa-fix.log-expected.json | 5 - .../cisco/asa/test/asa.log-expected.json | 100 ----- .../cisco/asa/test/filtered.log-expected.json | 2 - .../asa/test/hostnames.log-expected.json | 2 - .../cisco/asa/test/not-ip.log-expected.json | 2 - .../cisco/asa/test/sample.log-expected.json | 13 - .../cisco/ftd/test/asa-fix.log-expected.json | 4 - .../cisco/ftd/test/asa.log-expected.json | 100 ----- .../cisco/ftd/test/dns.log-expected.json | 21 - .../cisco/ftd/test/filtered.log-expected.json | 1 - .../ftd/test/intrusion.log-expected.json | 4 - .../ftd/test/no-type-id.log-expected.json | 4 - .../cisco/ftd/test/not-ip.log-expected.json | 2 - .../cisco/ftd/test/sample.log-expected.json | 27 -- .../security-connection.log-expected.json | 10 - .../security-file-malware.log-expected.json | 10 - .../security-malware-site.log-expected.json | 1 - .../module/cisco/meraki/ingest/pipeline.yml | 2 + .../meraki/test/generated.log-expected.json | 96 ++--- .../module/cisco/nexus/ingest/pipeline.yml | 2 + .../cisco/shared/ingest/asa-ftd-pipeline.yml | 4 + .../corepas/test/generated.log-expected.json | 408 +++++++++--------- .../defender_atp/ingest/pipeline.yml | 1 + .../module/panw/panos/ingest/pipeline.yml | 1 + .../log/test/generated.log-expected.json | 88 ++-- .../module/suricata/eve/ingest/pipeline.yml | 1 + .../zia/test/generated.log-expected.json | 360 ++++++++-------- 31 files changed, 491 insertions(+), 851 deletions(-) diff --git a/filebeat/module/osquery/result/ingest/pipeline.json b/filebeat/module/osquery/result/ingest/pipeline.json index c35107a74ca..6d239aaeb2d 100644 --- a/filebeat/module/osquery/result/ingest/pipeline.json +++ b/filebeat/module/osquery/result/ingest/pipeline.json @@ -211,7 +211,8 @@ "append": { "field": "related.hosts", "value": "{{host.hostname}}", - "if": "ctx?.host?.hostname != null" + "if": "ctx?.host?.hostname != null", + "allow_duplicates": false } } ], diff --git a/filebeat/module/system/auth/ingest/pipeline.yml b/filebeat/module/system/auth/ingest/pipeline.yml index 94b75ca1280..71a3a3aefb0 100644 --- a/filebeat/module/system/auth/ingest/pipeline.yml +++ b/filebeat/module/system/auth/ingest/pipeline.yml @@ -146,6 +146,7 @@ processors: field: related.hosts value: "{{host.hostname}}" if: "ctx.host?.hostname != null" + allow_duplicates: false on_failure: - set: field: error.message diff --git a/filebeat/module/system/syslog/ingest/pipeline.yml b/filebeat/module/system/syslog/ingest/pipeline.yml index c0ed71b3471..69a3bc94b67 100644 --- a/filebeat/module/system/syslog/ingest/pipeline.yml +++ b/filebeat/module/system/syslog/ingest/pipeline.yml @@ -58,6 +58,7 @@ processors: field: related.hosts value: "{{host.hostname}}" if: "ctx.host?.hostname != null" + allow_duplicates: false on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json index 8c9bf28fee0..73d42d43af7 100644 --- a/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/additional_messages.log-expected.json @@ -41,7 +41,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -100,7 +99,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -149,7 +147,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -197,7 +194,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -240,7 +236,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -286,7 +281,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -342,7 +336,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -399,7 +392,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -448,7 +440,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -500,7 +491,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -542,7 +532,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "service.type": "cisco", @@ -581,7 +570,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "service.type": "cisco", @@ -623,7 +611,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -668,7 +655,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -714,7 +700,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -760,7 +745,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -808,7 +792,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -865,7 +848,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -923,7 +905,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -979,7 +960,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -1030,7 +1010,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -1080,7 +1059,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -1132,7 +1110,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -1198,7 +1175,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -1256,7 +1232,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -1315,7 +1290,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -1370,7 +1344,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -1420,7 +1393,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -1471,7 +1443,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -1520,7 +1491,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -1569,7 +1539,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -1618,7 +1587,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -1660,7 +1628,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "service.type": "cisco", @@ -1695,7 +1662,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "service.type": "cisco", @@ -1732,7 +1698,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "service.type": "cisco", @@ -1769,7 +1734,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "service.type": "cisco", @@ -1816,7 +1780,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -1870,7 +1833,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -1912,7 +1874,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "service.type": "cisco", @@ -1947,7 +1908,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "service.type": "cisco", @@ -1989,7 +1949,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -2031,7 +1990,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "service.type": "cisco", @@ -2066,7 +2024,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "service.type": "cisco", @@ -2112,7 +2069,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -2160,7 +2116,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "service.type": "cisco", @@ -2206,7 +2161,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -2257,7 +2211,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -2303,7 +2256,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -2349,7 +2301,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -2395,7 +2346,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -2441,7 +2391,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -2507,7 +2456,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -2568,7 +2516,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -2631,7 +2578,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01", "somedomainname.local" ], @@ -2674,7 +2620,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01", "console" ], @@ -2714,7 +2659,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -2757,7 +2701,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "service.type": "cisco", @@ -2799,7 +2742,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -2844,7 +2786,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -2891,7 +2832,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -2936,7 +2876,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -2976,7 +2915,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -3040,7 +2978,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -3081,7 +3018,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -3128,7 +3064,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ @@ -3191,7 +3126,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "dev01", "dev01" ], "related.ip": [ diff --git a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json index 343dbf34315..94f2b616d27 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa-fix.log-expected.json @@ -41,7 +41,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "SNL-ASA-VPN-A01", "SNL-ASA-VPN-A01" ], "related.ip": [ @@ -94,7 +93,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "SNL-ASA-VPN-A01", "SNL-ASA-VPN-A01" ], "related.ip": [ @@ -196,7 +194,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "SNL-ASA-VPN-A01", "SNL-ASA-VPN-A01" ], "related.ip": [ @@ -242,7 +239,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "SNL-ASA-VPN-A01", "SNL-ASA-VPN-A01" ], "related.ip": [ @@ -291,7 +287,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "SNL-ASA-VPN-A01", "SNL-ASA-VPN-A01" ], "related.ip": [ diff --git a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json index 5f584e4ad8c..ea4dcecdef3 100644 --- a/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/asa.log-expected.json @@ -38,7 +38,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -99,7 +98,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -160,7 +158,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -221,7 +218,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -282,7 +278,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -343,7 +338,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -404,7 +398,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -465,7 +458,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -526,7 +518,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -587,7 +578,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -648,7 +638,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -709,7 +698,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -770,7 +758,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -831,7 +818,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -892,7 +878,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -953,7 +938,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1014,7 +998,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1075,7 +1058,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1136,7 +1118,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1191,7 +1172,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1252,7 +1232,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1313,7 +1292,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1374,7 +1352,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1435,7 +1412,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1490,7 +1466,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1551,7 +1526,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1606,7 +1580,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1667,7 +1640,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1728,7 +1700,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1789,7 +1760,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1850,7 +1820,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1911,7 +1880,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1966,7 +1934,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2027,7 +1994,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2082,7 +2048,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2143,7 +2108,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2204,7 +2168,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2265,7 +2228,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2326,7 +2288,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2381,7 +2342,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2442,7 +2402,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2503,7 +2462,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2564,7 +2522,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2625,7 +2582,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2686,7 +2642,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2741,7 +2696,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2802,7 +2756,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2863,7 +2816,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2924,7 +2876,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2985,7 +2936,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3046,7 +2996,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3101,7 +3050,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3162,7 +3110,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3217,7 +3164,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3278,7 +3224,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3333,7 +3278,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3394,7 +3338,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3455,7 +3398,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3516,7 +3458,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3571,7 +3512,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3632,7 +3572,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3687,7 +3626,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3748,7 +3686,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3809,7 +3746,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3870,7 +3806,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3925,7 +3860,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3986,7 +3920,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -4047,7 +3980,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -4102,7 +4034,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -4163,7 +4094,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -4209,7 +4139,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "service.type": "cisco", @@ -4257,7 +4186,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -4318,7 +4246,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -4364,7 +4291,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "service.type": "cisco", @@ -4403,7 +4329,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "service.type": "cisco", @@ -4442,7 +4367,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "service.type": "cisco", @@ -4481,7 +4405,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "service.type": "cisco", @@ -4520,7 +4443,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "service.type": "cisco", @@ -4559,7 +4481,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "service.type": "cisco", @@ -4613,7 +4534,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -4674,7 +4594,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -4729,7 +4648,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -4790,7 +4708,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -4848,7 +4765,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -4906,7 +4822,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -4964,7 +4879,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -5022,7 +4936,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -5080,7 +4993,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -5138,7 +5050,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -5196,7 +5107,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -5254,7 +5164,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -5312,7 +5221,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -5370,7 +5278,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -5428,7 +5335,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -5486,7 +5392,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -5544,7 +5449,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -5599,7 +5503,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -5660,7 +5563,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -5715,7 +5617,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -5776,7 +5677,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ diff --git a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json index 009a7dc1c2d..948f6c85ab4 100644 --- a/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/filtered.log-expected.json @@ -27,7 +27,6 @@ "process.name": "asa", "process.pid": 1234, "related.hosts": [ - "beats", "beats" ], "service.type": "cisco", @@ -74,7 +73,6 @@ "process.name": "asa", "process.pid": 1234, "related.hosts": [ - "beats", "beats" ], "related.ip": [ diff --git a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json index d64160084c2..70df45cbf91 100644 --- a/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/hostnames.log-expected.json @@ -32,7 +32,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "localhost", "localhost", "target.destination.hostname.local", "Prod-host.name.addr" @@ -80,7 +79,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "MYHOSTNAME", "MYHOSTNAME" ], "related.ip": [ diff --git a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json index 34425411699..85bfef8b52a 100644 --- a/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/not-ip.log-expected.json @@ -86,7 +86,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -148,7 +147,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "localhost", "localhost", "example.org" ], diff --git a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json index 7999c72b667..fcf7d339222 100644 --- a/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/asa/test/sample.log-expected.json @@ -190,7 +190,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "INT-FW01", "INT-FW01" ], "related.ip": [ @@ -246,7 +245,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "INT-FW01", "INT-FW01" ], "related.ip": [ @@ -709,7 +707,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "FJSG2NRFW01", "FJSG2NRFW01" ], "related.ip": [ @@ -2791,7 +2788,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "GIFRCHN01", "GIFRCHN01" ], "related.ip": [ @@ -2840,7 +2836,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "GIFRCHN01", "GIFRCHN01" ], "related.ip": [ @@ -2889,7 +2884,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "GIFRCHN01", "GIFRCHN01" ], "related.ip": [ @@ -2938,7 +2932,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "GIFRCHN01", "GIFRCHN01" ], "related.ip": [ @@ -2987,7 +2980,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "GIFRCHN01", "GIFRCHN01" ], "related.ip": [ @@ -3036,7 +3028,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "GIFRCHN01", "GIFRCHN01" ], "related.ip": [ @@ -3085,7 +3076,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "GIFRCHN01", "GIFRCHN01" ], "related.ip": [ @@ -3134,7 +3124,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "GIFRCHN01", "GIFRCHN01" ], "related.ip": [ @@ -3189,7 +3178,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "GIFRCHN01", "GIFRCHN01" ], "related.ip": [ @@ -3241,7 +3229,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "GIFRCHN01", "GIFRCHN01" ], "related.ip": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json index 8920b7b5e0f..72b115c6975 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa-fix.log-expected.json @@ -42,7 +42,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "SNL-ASA-VPN-A01", "SNL-ASA-VPN-A01" ], "related.ip": [ @@ -96,7 +95,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "SNL-ASA-VPN-A01", "SNL-ASA-VPN-A01" ], "related.ip": [ @@ -200,7 +198,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "SNL-ASA-VPN-A01", "SNL-ASA-VPN-A01" ], "related.ip": [ @@ -247,7 +244,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "SNL-ASA-VPN-A01", "SNL-ASA-VPN-A01" ], "related.ip": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json index 04449c7001c..70e87e332d9 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/asa.log-expected.json @@ -37,7 +37,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -97,7 +96,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -157,7 +155,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -217,7 +214,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -277,7 +273,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -337,7 +332,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -397,7 +391,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -457,7 +450,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -517,7 +509,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -577,7 +568,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -637,7 +627,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -697,7 +686,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -757,7 +745,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -817,7 +804,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -877,7 +863,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -937,7 +922,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -997,7 +981,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1057,7 +1040,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1117,7 +1099,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1171,7 +1152,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1231,7 +1211,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1291,7 +1270,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1351,7 +1329,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1411,7 +1388,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1465,7 +1441,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1525,7 +1500,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1579,7 +1553,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1639,7 +1612,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1699,7 +1671,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1759,7 +1730,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1819,7 +1789,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1879,7 +1848,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1933,7 +1901,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -1993,7 +1960,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2047,7 +2013,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2107,7 +2072,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2167,7 +2131,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2227,7 +2190,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2287,7 +2249,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2341,7 +2302,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2401,7 +2361,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2461,7 +2420,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2521,7 +2479,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2581,7 +2538,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2641,7 +2597,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2695,7 +2650,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2755,7 +2709,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2815,7 +2768,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2875,7 +2827,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2935,7 +2886,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -2995,7 +2945,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3049,7 +2998,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3109,7 +3057,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3163,7 +3110,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3223,7 +3169,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3277,7 +3222,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3337,7 +3281,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3397,7 +3340,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3457,7 +3399,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3511,7 +3452,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3571,7 +3511,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3625,7 +3564,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3685,7 +3623,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3745,7 +3682,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3805,7 +3741,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3859,7 +3794,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3919,7 +3853,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -3979,7 +3912,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -4033,7 +3965,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -4093,7 +4024,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -4138,7 +4068,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "service.type": "cisco", @@ -4185,7 +4114,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -4245,7 +4173,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -4290,7 +4217,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "service.type": "cisco", @@ -4328,7 +4254,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "service.type": "cisco", @@ -4366,7 +4291,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "service.type": "cisco", @@ -4404,7 +4328,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "service.type": "cisco", @@ -4442,7 +4365,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "service.type": "cisco", @@ -4480,7 +4402,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "service.type": "cisco", @@ -4533,7 +4454,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -4593,7 +4513,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -4647,7 +4566,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -4707,7 +4625,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -4764,7 +4681,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -4821,7 +4737,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -4878,7 +4793,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -4935,7 +4849,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -4992,7 +4905,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -5049,7 +4961,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -5106,7 +5017,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -5163,7 +5073,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -5220,7 +5129,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -5277,7 +5185,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -5334,7 +5241,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -5391,7 +5297,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -5448,7 +5353,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -5502,7 +5406,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -5562,7 +5465,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -5616,7 +5518,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -5676,7 +5577,6 @@ "process.name": "CiscoASA", "process.pid": 999, "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json index bd0a28f0957..37efb99f483 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/dns.log-expected.json @@ -83,7 +83,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ @@ -192,7 +191,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ @@ -299,7 +297,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ @@ -408,7 +405,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ @@ -516,7 +512,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ @@ -623,7 +618,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ @@ -733,7 +727,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ @@ -840,7 +833,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ @@ -948,7 +940,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ @@ -1057,7 +1048,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ @@ -1167,7 +1157,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ @@ -1270,7 +1259,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ @@ -1378,7 +1366,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ @@ -1485,7 +1472,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ @@ -1593,7 +1579,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ @@ -1702,7 +1687,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ @@ -1809,7 +1793,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ @@ -1916,7 +1899,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ @@ -2023,7 +2005,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ @@ -2128,7 +2109,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ @@ -2237,7 +2217,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json index eb9e4027780..6e77e652aff 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/filtered.log-expected.json @@ -28,7 +28,6 @@ "process.name": "asa", "process.pid": 1234, "related.hosts": [ - "beats", "beats" ], "service.type": "cisco", diff --git a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json index 384dda1c9b3..681c8052cb0 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/intrusion.log-expected.json @@ -63,7 +63,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "firepower", "firepower" ], "related.ip": [ @@ -149,7 +148,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "firepower", "firepower" ], "related.ip": [ @@ -231,7 +229,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "firepower", "firepower" ], "related.ip": [ @@ -313,7 +310,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "firepower", "firepower" ], "related.ip": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json index 0602f5d1189..b204f179fa3 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/no-type-id.log-expected.json @@ -38,7 +38,6 @@ "process.name": "ftd", "process.pid": 1234, "related.hosts": [ - "beats", "beats" ], "related.ip": [ @@ -86,7 +85,6 @@ "process.name": "ftd", "process.pid": 1234, "related.hosts": [ - "beats", "beats" ], "service.type": "cisco", @@ -129,7 +127,6 @@ "process.name": "ftd", "process.pid": 1234, "related.hosts": [ - "beats", "beats" ], "service.type": "cisco", @@ -184,7 +181,6 @@ "process.name": "ftd", "process.pid": 1234, "related.hosts": [ - "beats", "beats" ], "related.ip": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json index 6d075a79629..cc0af87b551 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/not-ip.log-expected.json @@ -84,7 +84,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "localhost", "localhost" ], "related.ip": [ @@ -145,7 +144,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "localhost", "localhost", "example.org" ], diff --git a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json index 2afe4aeb62b..592e7ae85e9 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/sample.log-expected.json @@ -186,7 +186,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "INT-FW01", "INT-FW01" ], "related.ip": [ @@ -241,7 +240,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "INT-FW01", "INT-FW01" ], "related.ip": [ @@ -695,7 +693,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "FJSG2NRFW01", "FJSG2NRFW01" ], "related.ip": [ @@ -1972,7 +1969,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "127.0.0.1", "127.0.0.1" ], "related.ip": [ @@ -2027,7 +2023,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "127.0.0.1", "127.0.0.1" ], "related.ip": [ @@ -2082,7 +2077,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "127.0.0.1", "127.0.0.1" ], "related.ip": [ @@ -2140,7 +2134,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "127.0.0.1", "127.0.0.1", "OCSP_Server" ], @@ -2198,7 +2191,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "127.0.0.1", "127.0.0.1", "OCSP_Server" ], @@ -2256,7 +2248,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "127.0.0.1", "127.0.0.1" ], "related.ip": [ @@ -2314,7 +2305,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "127.0.0.1", "127.0.0.1" ], "related.ip": [ @@ -2372,7 +2362,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "127.0.0.1", "127.0.0.1" ], "related.ip": [ @@ -2422,7 +2411,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "127.0.0.1", "127.0.0.1" ], "related.ip": [ @@ -2472,7 +2460,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "127.0.0.1", "127.0.0.1" ], "related.ip": [ @@ -2527,7 +2514,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "127.0.0.1", "127.0.0.1" ], "related.ip": [ @@ -2585,7 +2571,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "127.0.0.1", "127.0.0.1" ], "related.ip": [ @@ -2643,7 +2628,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "127.0.0.1", "127.0.0.1" ], "related.ip": [ @@ -2701,7 +2685,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "127.0.0.1", "127.0.0.1" ], "related.ip": [ @@ -2802,7 +2785,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "GIFRCHN01", "GIFRCHN01" ], "related.ip": [ @@ -2850,7 +2832,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "GIFRCHN01", "GIFRCHN01" ], "related.ip": [ @@ -2898,7 +2879,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "GIFRCHN01", "GIFRCHN01" ], "related.ip": [ @@ -2946,7 +2926,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "GIFRCHN01", "GIFRCHN01" ], "related.ip": [ @@ -2994,7 +2973,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "GIFRCHN01", "GIFRCHN01" ], "related.ip": [ @@ -3042,7 +3020,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "GIFRCHN01", "GIFRCHN01" ], "related.ip": [ @@ -3090,7 +3067,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "GIFRCHN01", "GIFRCHN01" ], "related.ip": [ @@ -3138,7 +3114,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "GIFRCHN01", "GIFRCHN01" ], "related.ip": [ @@ -3192,7 +3167,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "GIFRCHN01", "GIFRCHN01" ], "related.ip": [ @@ -3243,7 +3217,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "GIFRCHN01", "GIFRCHN01" ], "related.ip": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json index 91ffa1c6ed5..3cef5df9a0f 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-connection.log-expected.json @@ -66,7 +66,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "firepower", "firepower" ], "related.ip": [ @@ -159,7 +158,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "firepower", "firepower" ], "related.ip": [ @@ -260,7 +258,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "firepower", "firepower" ], "related.ip": [ @@ -368,7 +365,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "firepower", "firepower" ], "related.ip": [ @@ -464,7 +460,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "firepower", "firepower" ], "related.ip": [ @@ -578,7 +573,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "firepower", "firepower" ], "related.ip": [ @@ -677,7 +671,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "firepower", "firepower" ], "related.ip": [ @@ -787,7 +780,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "firepower", "firepower" ], "related.ip": [ @@ -876,7 +868,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "firepower", "firepower" ], "related.ip": [ @@ -978,7 +969,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json index ec853ea1c76..8ab3e55fc87 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-file-malware.log-expected.json @@ -52,7 +52,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ @@ -127,7 +126,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ @@ -202,7 +200,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ @@ -277,7 +274,6 @@ "observer.type": "firewall", "observer.vendor": "Cisco", "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ @@ -361,7 +357,6 @@ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ @@ -445,7 +440,6 @@ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ @@ -533,7 +527,6 @@ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], "related.hosts": [ - "siem-ftd", "siem-ftd" ], "related.ip": [ @@ -629,7 +622,6 @@ "2546dcffc5ad854d4ddc64fbf056871cd5a00f2471cb7a5bfd4ac23b6e9eedad" ], "related.hosts": [ - "firepower", "firepower" ], "related.ip": [ @@ -716,7 +708,6 @@ "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" ], "related.hosts": [ - "firepower", "firepower" ], "related.ip": [ @@ -813,7 +804,6 @@ "9a04a82eb19ad382f9e9dbafa498c6b4291f93cfe98d9e8b2915af99c06ffcd7" ], "related.hosts": [ - "firepower", "firepower" ], "related.ip": [ diff --git a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json index 23a2d983b72..73ab6378da1 100644 --- a/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json +++ b/x-pack/filebeat/module/cisco/ftd/test/security-malware-site.log-expected.json @@ -87,7 +87,6 @@ "observer.vendor": "Cisco", "process.name": "Alerts", "related.hosts": [ - "CISCO-SENSOR-3D", "CISCO-SENSOR-3D" ], "related.ip": [ diff --git a/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml index 68d79ecc8c8..ca144a95c4f 100644 --- a/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml @@ -57,10 +57,12 @@ processors: field: related.hosts value: '{{host.name}}' if: ctx.host?.name != null + allow_duplicates: false - append: field: related.hosts value: '{{host.hostname}}' if: ctx.host?.hostname != null + allow_duplicates: false on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json index 7f0a2c6273d..beeffa9b5eb 100644 --- a/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cisco/meraki/test/generated.log-expected.json @@ -17,8 +17,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.15.44.253", - "10.193.124.51" + "10.193.124.51", + "10.15.44.253" ], "rsa.internal.event_desc": "olaborissecurity_event tur", "rsa.internal.messageid": "security_event", @@ -389,8 +389,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.74.237.180", - "10.163.72.17" + "10.163.72.17", + "10.74.237.180" ], "rsa.internal.event_desc": "remipsum security_event liq", "rsa.internal.messageid": "security_event", @@ -519,8 +519,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.53.150.119", - "10.85.10.165" + "10.85.10.165", + "10.53.150.119" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -692,8 +692,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.182.178.217", - "10.63.194.87" + "10.63.194.87", + "10.182.178.217" ], "rsa.counters.dclass_r1": "fdeFi", "rsa.internal.messageid": "events", @@ -896,8 +896,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.93.68.231", - "10.135.217.12" + "10.135.217.12", + "10.93.68.231" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -960,8 +960,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.66.89.5", - "10.247.30.212" + "10.247.30.212", + "10.66.89.5" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -1064,8 +1064,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.58.64.108", - "10.54.37.86" + "10.54.37.86", + "10.58.64.108" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1100,8 +1100,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.163.93.20", - "10.147.76.202" + "10.147.76.202", + "10.163.93.20" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -1215,8 +1215,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.204.230.166", - "10.98.194.212" + "10.98.194.212", + "10.204.230.166" ], "rsa.counters.dclass_r1": "enimadmi", "rsa.internal.messageid": "events", @@ -1411,8 +1411,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.94.6.140", - "10.147.15.213" + "10.147.15.213", + "10.94.6.140" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -1638,8 +1638,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.90.99.245", - "10.124.63.4" + "10.124.63.4", + "10.90.99.245" ], "rsa.internal.event_desc": "etconsec", "rsa.internal.messageid": "security_event", @@ -1867,8 +1867,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.39.172.93", - "10.83.131.245" + "10.83.131.245", + "10.39.172.93" ], "rsa.internal.messageid": "flows", "rsa.misc.action": [ @@ -1941,8 +1941,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.148.211.222", - "10.122.204.151" + "10.122.204.151", + "10.148.211.222" ], "rsa.internal.event_desc": "umexercisecurity_event duntut", "rsa.internal.messageid": "security_event", @@ -2011,8 +2011,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.97.46.16", - "10.120.4.9" + "10.120.4.9", + "10.97.46.16" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2047,8 +2047,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.165.173.162", - "10.171.206.139" + "10.171.206.139", + "10.165.173.162" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2126,8 +2126,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.52.202.158", - "10.54.44.231" + "10.54.44.231", + "10.52.202.158" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2333,8 +2333,8 @@ "lors2232.api.example" ], "related.ip": [ - "10.105.136.146", - "10.46.217.155" + "10.46.217.155", + "10.105.136.146" ], "rsa.internal.messageid": "events", "rsa.misc.event_source": "appliance", @@ -2374,8 +2374,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.245.199.23", - "10.123.62.215" + "10.123.62.215", + "10.245.199.23" ], "rsa.db.index": "iusmodt", "rsa.internal.messageid": "flows", @@ -2480,8 +2480,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.34.62.190", - "10.246.152.72" + "10.246.152.72", + "10.34.62.190" ], "rsa.internal.event_desc": "Nem", "rsa.internal.messageid": "security_event", @@ -2593,8 +2593,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.244.32.189", - "10.121.9.5" + "10.121.9.5", + "10.244.32.189" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2719,8 +2719,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.103.91.159", - "10.199.19.205" + "10.199.19.205", + "10.103.91.159" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -2855,8 +2855,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.177.64.152", - "10.140.242.86" + "10.140.242.86", + "10.177.64.152" ], "rsa.internal.messageid": "ids-alerts", "rsa.misc.event_type": "ids-alerts", @@ -3067,8 +3067,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.101.13.122", - "10.200.98.243" + "10.200.98.243", + "10.101.13.122" ], "rsa.counters.dclass_r1": "uteirur", "rsa.internal.messageid": "events", @@ -3330,8 +3330,8 @@ "observer.type": "Wireless", "observer.vendor": "Cisco", "related.ip": [ - "10.85.59.172", - "10.75.122.111" + "10.75.122.111", + "10.85.59.172" ], "rsa.counters.dclass_r1": "sequat", "rsa.internal.messageid": "events", diff --git a/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml index de033421186..092221f8389 100644 --- a/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml @@ -57,10 +57,12 @@ processors: field: related.hosts value: '{{host.name}}' if: ctx.host?.name != null + allow_duplicates: false - append: field: related.hosts value: '{{host.hostname}}' if: ctx.host?.hostname != null + allow_duplicates: false on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index a810eb52499..727968cdf96 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -1551,18 +1551,22 @@ processors: field: related.hosts value: "{{host.hostname}}" if: ctx.host?.hostname != null + allow_duplicates: false - append: field: related.hosts value: "{{observer.hostname}}" if: ctx.observer?.hostname != null + allow_duplicates: false - append: field: related.hosts value: "{{destination.domain}}" if: ctx.destination?.domain != null + allow_duplicates: false - append: field: related.hosts value: "{{source.domain}}" if: ctx.source?.domain != null + allow_duplicates: false on_failure: # Copy any fields under _temp_.cisco to its final destination. Those can help # with diagnosing the failure. diff --git a/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json b/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json index 2df25e0b1fe..e62f472e5c4 100644 --- a/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json @@ -20,9 +20,9 @@ "10.208.15.216" ], "related.user": [ - "itv", + "utl", "quasiarc", - "utl" + "itv" ], "rsa.db.index": "nes", "rsa.internal.event_desc": "pexe", @@ -68,9 +68,9 @@ "10.92.136.230" ], "related.user": [ - "nnumqu", + "dolore", "orev", - "dolore" + "nnumqu" ], "rsa.db.database": "umdo", "rsa.db.index": "vol", @@ -129,8 +129,8 @@ ], "related.user": [ "nse", - "incid", - "serror" + "serror", + "incid" ], "rsa.db.database": "byC", "rsa.db.index": "tur", @@ -184,13 +184,13 @@ "observer.vendor": "Cyberark", "observer.version": "1.6713", "related.ip": [ - "10.155.236.240", - "10.53.192.140" + "10.53.192.140", + "10.155.236.240" ], "related.user": [ - "atcup", + "ptass", "psumquia", - "ptass" + "atcup" ], "rsa.db.database": "aperi", "rsa.db.index": "llumd", @@ -288,12 +288,12 @@ "observer.vendor": "Cyberark", "observer.version": "1.3491", "related.ip": [ - "10.139.186.201", - "10.172.14.142" + "10.172.14.142", + "10.139.186.201" ], "related.user": [ - "tcupida", "aboris", + "tcupida", "uam" ], "rsa.db.database": "isiu", @@ -352,9 +352,9 @@ "10.104.111.129" ], "related.user": [ - "ele", + "ipis", "etconsec", - "ipis" + "ele" ], "rsa.db.database": "riat", "rsa.db.index": "umdolor", @@ -408,8 +408,8 @@ "10.116.120.216" ], "related.user": [ - "umdo", "quiratio", + "umdo", "animi" ], "rsa.db.index": "oll", @@ -452,13 +452,13 @@ "observer.vendor": "Cyberark", "observer.version": "1.5529", "related.ip": [ - "10.57.40.29", - "10.62.54.220" + "10.62.54.220", + "10.57.40.29" ], "related.user": [ "rnatura", - "taevi", - "psum" + "psum", + "taevi" ], "rsa.db.database": "emeumfug", "rsa.db.index": "omn", @@ -513,8 +513,8 @@ ], "related.user": [ "ema", - "cup", - "tnon" + "tnon", + "cup" ], "rsa.db.index": "remeumf", "rsa.internal.event_desc": "lup", @@ -556,9 +556,9 @@ "10.18.165.35" ], "related.user": [ + "remeum", "lor", - "modocons", - "remeum" + "modocons" ], "rsa.db.index": "etM", "rsa.internal.event_desc": "etc", @@ -600,8 +600,8 @@ "10.74.253.127" ], "related.user": [ - "tema", "onproide", + "tema", "icab" ], "rsa.db.index": "mqui", @@ -701,9 +701,9 @@ "10.21.78.128" ], "related.user": [ - "taut", + "giatquov", "upt", - "giatquov" + "taut" ], "rsa.db.index": "iadese", "rsa.internal.event_desc": "deFinibu", @@ -745,8 +745,8 @@ "10.18.109.121" ], "related.user": [ - "pida", "tatn", + "pida", "hil" ], "rsa.db.index": "quip", @@ -793,9 +793,9 @@ "10.225.115.13" ], "related.user": [ - "reetd", + "equep", "iunt", - "equep" + "reetd" ], "rsa.db.database": "aliqu", "rsa.db.index": "mipsumd", @@ -849,12 +849,12 @@ "observer.vendor": "Cyberark", "observer.version": "1.3219", "related.ip": [ - "10.95.64.124", - "10.47.202.102" + "10.47.202.102", + "10.95.64.124" ], "related.user": [ - "run", "ice", + "run", "ntor" ], "rsa.db.database": "ite", @@ -908,8 +908,8 @@ "observer.vendor": "Cyberark", "observer.version": "1.6371", "related.ip": [ - "10.244.114.61", - "10.106.239.55" + "10.106.239.55", + "10.244.114.61" ], "related.user": [ "serunt", @@ -1026,13 +1026,13 @@ "observer.vendor": "Cyberark", "observer.version": "1.1123", "related.ip": [ - "10.227.177.121", - "10.33.245.220" + "10.33.245.220", + "10.227.177.121" ], "related.user": [ - "liqui", "tasuntex", - "iduntu" + "iduntu", + "liqui" ], "rsa.db.database": "rvel", "rsa.db.index": "onsecte", @@ -1197,9 +1197,9 @@ "10.214.191.180" ], "related.user": [ - "tDuisaut", "luptatev", - "uteirure" + "uteirure", + "tDuisaut" ], "rsa.db.database": "uamest", "rsa.db.index": "uae", @@ -1257,9 +1257,9 @@ "10.252.124.150" ], "related.user": [ - "ipsumd", "litessec", - "com" + "com", + "ipsumd" ], "rsa.db.database": "tasn", "rsa.db.index": "squirati", @@ -1317,9 +1317,9 @@ "10.192.34.76" ], "related.user": [ + "lore", "iquipe", - "temqu", - "lore" + "temqu" ], "rsa.db.database": "gnamal", "rsa.db.index": "ntexplic", @@ -1372,12 +1372,12 @@ "observer.vendor": "Cyberark", "observer.version": "1.2217", "related.ip": [ - "10.216.84.30", - "10.154.4.197" + "10.154.4.197", + "10.216.84.30" ], "related.user": [ - "untu", - "intoc" + "intoc", + "untu" ], "rsa.db.database": "oditem", "rsa.db.index": "borios", @@ -1430,8 +1430,8 @@ "10.143.193.199" ], "related.user": [ - "tqu", "niamqui", + "tqu", "quid" ], "rsa.db.index": "inci", @@ -1479,8 +1479,8 @@ ], "related.user": [ "ritatise", - "essequam", - "umqu" + "umqu", + "essequam" ], "rsa.db.database": "ender", "rsa.db.index": "entorev", @@ -1534,9 +1534,9 @@ "10.205.72.243" ], "related.user": [ - "isiuta", + "tatn", "umdolo", - "tatn" + "isiuta" ], "rsa.db.index": "proide", "rsa.internal.event_desc": "ameiusm", @@ -1578,8 +1578,8 @@ "10.107.9.163" ], "related.user": [ - "mac", "sit", + "mac", "mquisno" ], "rsa.db.index": "sit", @@ -1623,8 +1623,8 @@ ], "related.user": [ "asiarc", - "umSe", - "quidexea" + "quidexea", + "umSe" ], "rsa.db.index": "veli", "rsa.internal.event_desc": "quatu", @@ -1670,9 +1670,9 @@ "10.235.136.109" ], "related.user": [ - "urExcept", + "aboreetd", "ptass", - "aboreetd" + "urExcept" ], "rsa.db.database": "teirured", "rsa.db.index": "dolorem", @@ -1726,8 +1726,8 @@ "10.96.224.19" ], "related.user": [ - "itation", "ibusBon", + "itation", "doloreme" ], "rsa.db.index": "oremipsu", @@ -1814,13 +1814,13 @@ "observer.vendor": "Cyberark", "observer.version": "1.3804", "related.ip": [ - "10.226.101.180", - "10.226.20.199" + "10.226.20.199", + "10.226.101.180" ], "related.user": [ "rationev", - "veniamqu", - "ritt" + "ritt", + "veniamqu" ], "rsa.db.database": "conse", "rsa.db.index": "imveniam", @@ -1879,9 +1879,9 @@ "10.86.22.67" ], "related.user": [ - "utaliqu", "quaUten", - "cab" + "cab", + "utaliqu" ], "rsa.db.database": "isciv", "rsa.db.index": "nofd", @@ -1938,9 +1938,9 @@ "10.70.147.120" ], "related.user": [ + "cidunt", "tten", - "emqu", - "cidunt" + "emqu" ], "rsa.db.index": "eaqu", "rsa.internal.event_desc": "quidol", @@ -1982,13 +1982,13 @@ "observer.vendor": "Cyberark", "observer.version": "1.6255", "related.ip": [ - "10.24.111.229", - "10.178.242.100" + "10.178.242.100", + "10.24.111.229" ], "related.user": [ "dqu", - "idid", - "loi" + "loi", + "idid" ], "rsa.db.database": "tenatuse", "rsa.db.index": "ullamcor", @@ -2042,9 +2042,9 @@ "10.211.179.168" ], "related.user": [ + "untincul", "ritati", - "mmodoc", - "untincul" + "mmodoc" ], "rsa.db.index": "emvele", "rsa.internal.event_desc": "oluptas", @@ -2086,9 +2086,9 @@ "10.30.243.163" ], "related.user": [ - "mven", + "illu", "dolore", - "illu" + "mven" ], "rsa.db.index": "idol", "rsa.internal.event_desc": "lore", @@ -2130,12 +2130,12 @@ "observer.vendor": "Cyberark", "observer.version": "1.1844", "related.ip": [ - "10.212.214.4", - "10.6.79.159" + "10.6.79.159", + "10.212.214.4" ], "related.user": [ - "quid", "amvo", + "quid", "midestl" ], "rsa.db.database": "urExce", @@ -2194,9 +2194,9 @@ "10.237.170.202" ], "related.user": [ - "liquide", "atDu", - "rcit" + "rcit", + "liquide" ], "rsa.db.database": "taedict", "rsa.db.index": "loremeu", @@ -2250,13 +2250,13 @@ "observer.vendor": "Cyberark", "observer.version": "1.4282", "related.ip": [ - "10.179.50.138", - "10.228.118.81" + "10.228.118.81", + "10.179.50.138" ], "related.user": [ + "tatemU", "itasper", - "emoe", - "tatemU" + "emoe" ], "rsa.db.database": "toditaut", "rsa.db.index": "ugit", @@ -2314,9 +2314,9 @@ "10.234.165.130" ], "related.user": [ - "emip", + "iuntNequ", "henderit", - "iuntNequ" + "emip" ], "rsa.db.database": "veniamqu", "rsa.db.index": "atquo", @@ -2371,8 +2371,8 @@ ], "related.user": [ "turadipi", - "emip", - "olorema" + "olorema", + "emip" ], "rsa.db.index": "ataevi", "rsa.internal.event_desc": "minim", @@ -2414,8 +2414,8 @@ "10.193.219.34" ], "related.user": [ - "uamei", "utlabo", + "uamei", "olorem" ], "rsa.db.index": "nse", @@ -2458,13 +2458,13 @@ "observer.vendor": "Cyberark", "observer.version": "1.7083", "related.ip": [ - "10.174.185.109", - "10.120.167.217" + "10.120.167.217", + "10.174.185.109" ], "related.user": [ - "animid", "rsp", - "dolorem" + "dolorem", + "animid" ], "rsa.db.database": "tsuntinc", "rsa.db.index": "quovo", @@ -2518,13 +2518,13 @@ "observer.vendor": "Cyberark", "observer.version": "1.1432", "related.ip": [ - "10.117.137.159", - "10.141.213.219" + "10.141.213.219", + "10.117.137.159" ], "related.user": [ "atev", - "accusa", - "ate" + "ate", + "accusa" ], "rsa.db.database": "nibus", "rsa.db.index": "ser", @@ -2582,8 +2582,8 @@ "10.94.224.229" ], "related.user": [ - "rem", "eavol", + "rem", "etconsec" ], "rsa.db.database": "oditempo", @@ -2644,9 +2644,9 @@ "10.201.81.46" ], "related.user": [ - "incidid", + "tiumto", "mipsumqu", - "tiumto" + "incidid" ], "rsa.db.database": "abor", "rsa.db.index": "adol", @@ -2706,9 +2706,9 @@ "10.214.245.95" ], "related.user": [ + "umdolors", "rerepre", - "uptatem", - "umdolors" + "uptatem" ], "rsa.db.database": "odt", "rsa.db.index": "riosa", @@ -2762,9 +2762,9 @@ "10.45.35.180" ], "related.user": [ - "mip", "qui", - "Utenima" + "Utenima", + "mip" ], "rsa.db.index": "boree", "rsa.internal.event_desc": "uteir", @@ -2806,9 +2806,9 @@ "10.141.200.133" ], "related.user": [ + "iame", "enim", - "ess", - "iame" + "ess" ], "rsa.db.index": "nofdeFi", "rsa.internal.event_desc": "isnostru", @@ -2850,8 +2850,8 @@ "10.83.238.145" ], "related.user": [ - "ugi", "illoi", + "ugi", "runtmo" ], "rsa.db.index": "eetdo", @@ -2898,9 +2898,9 @@ "10.41.89.217" ], "related.user": [ - "tperspic", "sedquiac", - "tem" + "tem", + "tperspic" ], "rsa.db.database": "radipis", "rsa.db.index": "nse", @@ -2954,13 +2954,13 @@ "observer.vendor": "Cyberark", "observer.version": "1.6382", "related.ip": [ - "10.153.123.20", - "10.5.5.1" + "10.5.5.1", + "10.153.123.20" ], "related.user": [ - "unt", + "minim", "CSe", - "minim" + "unt" ], "rsa.db.database": "atu", "rsa.db.index": "roi", @@ -3019,8 +3019,8 @@ ], "related.user": [ "iamea", - "giatquov", - "eursinto" + "eursinto", + "giatquov" ], "rsa.db.database": "ici", "rsa.db.index": "iquaUt", @@ -3119,9 +3119,9 @@ "10.169.123.103" ], "related.user": [ - "oeni", "etquasia", - "xplic" + "xplic", + "oeni" ], "rsa.db.index": "hend", "rsa.internal.event_desc": "piscivel", @@ -3167,9 +3167,9 @@ "10.126.205.76" ], "related.user": [ + "iati", "rsitvol", - "Nemoenim", - "iati" + "Nemoenim" ], "rsa.db.index": "eFini", "rsa.internal.event_desc": "acom", @@ -3215,9 +3215,9 @@ "10.164.66.154" ], "related.user": [ - "eufug", "orissu", - "ine" + "ine", + "eufug" ], "rsa.db.database": "stquidol", "rsa.db.index": "imadmini", @@ -3271,9 +3271,9 @@ "10.70.83.200" ], "related.user": [ + "metco", "ihilmole", - "riat", - "metco" + "riat" ], "rsa.db.index": "urQuis", "rsa.internal.event_desc": "iutaliq", @@ -3319,9 +3319,9 @@ "10.134.55.11" ], "related.user": [ - "madminim", + "mmod", "tanimid", - "mmod" + "madminim" ], "rsa.db.database": "tetura", "rsa.db.index": "uptasnul", @@ -3379,8 +3379,8 @@ "10.52.150.104" ], "related.user": [ - "eritq", "oinBCSed", + "eritq", "texplica" ], "rsa.db.database": "lit", @@ -3435,13 +3435,13 @@ "observer.vendor": "Cyberark", "observer.version": "1.3175", "related.ip": [ - "10.61.175.217", - "10.41.232.147" + "10.41.232.147", + "10.61.175.217" ], "related.user": [ - "tat", + "runtm", "ntexpl", - "runtm" + "tat" ], "rsa.db.database": "rere", "rsa.db.index": "nonn", @@ -3495,9 +3495,9 @@ "10.150.30.95" ], "related.user": [ - "mini", + "atnonpr", "uisnos", - "atnonpr" + "mini" ], "rsa.db.index": "smod", "rsa.internal.event_desc": "isn", @@ -3539,9 +3539,9 @@ "10.98.71.45" ], "related.user": [ - "CSe", + "onse", "fugitse", - "onse" + "CSe" ], "rsa.db.index": "Dui", "rsa.internal.event_desc": "isci", @@ -3584,8 +3584,8 @@ ], "related.user": [ "remq", - "rspic", - "nonn" + "nonn", + "rspic" ], "rsa.db.index": "nre", "rsa.internal.event_desc": "tev", @@ -3628,8 +3628,8 @@ ], "related.user": [ "eserun", - "iumdo", - "uta" + "uta", + "iumdo" ], "rsa.db.index": "smo", "rsa.internal.event_desc": "olesti", @@ -3715,13 +3715,13 @@ "observer.vendor": "Cyberark", "observer.version": "1.3824", "related.ip": [ - "10.123.62.215", - "10.250.248.215" + "10.250.248.215", + "10.123.62.215" ], "related.user": [ + "tinculpa", "aevitaed", - "quaeratv", - "tinculpa" + "quaeratv" ], "rsa.db.database": "lica", "rsa.db.index": "uisnos", @@ -3778,8 +3778,8 @@ "10.146.57.23" ], "related.user": [ - "tateveli", - "isiutali" + "isiutali", + "tateveli" ], "rsa.db.database": "cin", "rsa.db.index": "onofdeF", @@ -3833,8 +3833,8 @@ ], "related.user": [ "niamqui", - "ptatemU", - "uamestqu" + "uamestqu", + "ptatemU" ], "rsa.db.index": "doeiu", "rsa.internal.event_desc": "uasiarc", @@ -3877,8 +3877,8 @@ ], "related.user": [ "nesci", - "onnumqua", - "tetura" + "tetura", + "onnumqua" ], "rsa.db.index": "oinBCSed", "rsa.internal.event_desc": "ntor", @@ -3920,9 +3920,9 @@ "10.47.63.70" ], "related.user": [ - "midestl", + "expl", "tpers", - "expl" + "midestl" ], "rsa.db.index": "olu", "rsa.internal.event_desc": "odocons", @@ -3964,9 +3964,9 @@ "10.178.160.245" ], "related.user": [ + "fdeFinib", "turQuis", - "olupta", - "fdeFinib" + "olupta" ], "rsa.db.index": "rsint", "rsa.internal.event_desc": "odico", @@ -4008,13 +4008,13 @@ "observer.vendor": "Cyberark", "observer.version": "1.6648", "related.ip": [ - "10.89.154.115", - "10.85.13.237" + "10.85.13.237", + "10.89.154.115" ], "related.user": [ - "emeu", "luptat", - "Nem" + "Nem", + "emeu" ], "rsa.db.database": "nturmag", "rsa.db.index": "maliqua", @@ -4068,13 +4068,13 @@ "observer.vendor": "Cyberark", "observer.version": "1.3387", "related.ip": [ - "10.65.207.234", - "10.222.32.183" + "10.222.32.183", + "10.65.207.234" ], "related.user": [ - "eruntmo", + "eve", "itame", - "eve" + "eruntmo" ], "rsa.db.database": "udexerc", "rsa.db.index": "volup", @@ -4128,8 +4128,8 @@ "10.16.181.60" ], "related.user": [ - "gnama", "oinven", + "gnama", "olore" ], "rsa.db.index": "uatu", @@ -4172,9 +4172,9 @@ "10.91.213.82" ], "related.user": [ - "illoin", + "amnis", "uianon", - "amnis" + "illoin" ], "rsa.db.index": "ons", "rsa.internal.event_desc": "temaccus", @@ -4216,9 +4216,9 @@ "10.204.214.98" ], "related.user": [ - "eprehe", "porissus", - "tdolo" + "tdolo", + "eprehe" ], "rsa.db.index": "abo", "rsa.internal.event_desc": "ecte", @@ -4260,8 +4260,8 @@ "10.223.178.192" ], "related.user": [ - "moenimip", "evel", + "moenimip", "etc" ], "rsa.db.index": "iarchit", @@ -4308,8 +4308,8 @@ "10.26.33.181" ], "related.user": [ - "ati", "audant", + "ati", "taevit" ], "rsa.db.database": "com", @@ -4368,9 +4368,9 @@ "10.142.161.116" ], "related.user": [ + "mpori", "quaerat", - "isi", - "mpori" + "isi" ], "rsa.db.database": "squamest", "rsa.db.index": "pteu", @@ -4424,13 +4424,13 @@ "observer.vendor": "Cyberark", "observer.version": "1.1026", "related.ip": [ - "10.10.174.253", - "10.107.24.54" + "10.107.24.54", + "10.10.174.253" ], "related.user": [ + "uptasn", "hend", - "itinvo", - "uptasn" + "itinvo" ], "rsa.db.database": "lup", "rsa.db.index": "isau", @@ -4485,9 +4485,9 @@ "10.87.92.17" ], "related.user": [ - "luptate", "eeufug", - "tamr" + "tamr", + "luptate" ], "rsa.db.index": "oreeufug", "rsa.internal.event_desc": "ura", @@ -4537,9 +4537,9 @@ "10.231.51.136" ], "related.user": [ + "accus", "asper", - "Finibus", - "accus" + "Finibus" ], "rsa.db.database": "litani", "rsa.db.index": "arch", @@ -4593,8 +4593,8 @@ "10.51.17.32" ], "related.user": [ - "itten", "mquido", + "itten", "llum" ], "rsa.db.index": "uscipit", @@ -4638,8 +4638,8 @@ ], "related.user": [ "mmodicon", - "cusa", - "ollita" + "ollita", + "cusa" ], "rsa.db.index": "ercitati", "rsa.internal.event_desc": "pteurs", @@ -4682,12 +4682,12 @@ "observer.vendor": "Cyberark", "observer.version": "1.425", "related.ip": [ - "10.198.187.144", - "10.114.0.148" + "10.114.0.148", + "10.198.187.144" ], "related.user": [ - "equatD", "rsitamet", + "equatD", "ons" ], "rsa.db.database": "periam", @@ -4746,9 +4746,9 @@ "10.61.140.120" ], "related.user": [ + "equa", "loru", - "naaliq", - "equa" + "naaliq" ], "rsa.db.index": "umfugiat", "rsa.internal.event_desc": "ora", @@ -4790,13 +4790,13 @@ "observer.vendor": "Cyberark", "observer.version": "1.6988", "related.ip": [ - "10.93.24.151", - "10.149.238.108" + "10.149.238.108", + "10.93.24.151" ], "related.user": [ + "sequamn", "nven", - "ite", - "sequamn" + "ite" ], "rsa.db.database": "fugi", "rsa.db.index": "nesciu", @@ -4850,9 +4850,9 @@ "10.101.45.225" ], "related.user": [ - "cipitla", + "uinesc", "emi", - "uinesc" + "cipitla" ], "rsa.db.index": "caecat", "rsa.internal.event_desc": "tsunt", @@ -4943,8 +4943,8 @@ "10.33.112.100" ], "related.user": [ - "ptatemse", "enimad", + "ptatemse", "aliqu" ], "rsa.db.index": "Except", @@ -4991,8 +4991,8 @@ "10.151.110.250" ], "related.user": [ - "neavol", "pidatatn", + "neavol", "tla" ], "rsa.db.database": "itaedict", @@ -5047,13 +5047,13 @@ "observer.vendor": "Cyberark", "observer.version": "1.4965", "related.ip": [ - "10.77.9.17", - "10.146.61.5" + "10.146.61.5", + "10.77.9.17" ], "related.user": [ + "alorumwr", "umS", - "tevel", - "alorumwr" + "tevel" ], "rsa.db.database": "amremap", "rsa.db.index": "aqu", @@ -5107,9 +5107,9 @@ "10.128.102.130" ], "related.user": [ - "ore", + "sequatu", "que", - "sequatu" + "ore" ], "rsa.db.index": "exerci", "rsa.internal.event_desc": "olu", @@ -5156,8 +5156,8 @@ ], "related.user": [ "reseo", - "onnu", - "doloremi" + "doloremi", + "onnu" ], "rsa.db.database": "billo", "rsa.db.index": "ectetura", @@ -5211,9 +5211,9 @@ "10.103.215.159" ], "related.user": [ + "volup", "apa", - "atatn", - "volup" + "atatn" ], "rsa.db.index": "atcupi", "rsa.internal.event_desc": "did", diff --git a/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml b/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml index b60beb7603b..7ed7c2ffe4a 100644 --- a/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml @@ -283,6 +283,7 @@ processors: field: related.hosts value: '{{host.hostname}}' if: ctx.host?.hostname != null + allow_duplicates: false ############# ## Cleanup ## diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml index 0aa10baa6eb..409a3a00edb 100644 --- a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml @@ -476,6 +476,7 @@ processors: field: related.hosts value: "{{observer.hostname}}" if: "ctx?.observer?.hostname != null" + allow_duplicates: false # Remove temporary fields. - remove: diff --git a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json index 62a15952dd8..bbb36b77dfa 100644 --- a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json +++ b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json @@ -55,8 +55,8 @@ "observer.type": "IDS", "observer.vendor": "Snort", "related.ip": [ - "10.212.11.114", - "10.38.77.13" + "10.38.77.13", + "10.212.11.114" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "uam", @@ -194,8 +194,8 @@ "observer.type": "IDS", "observer.vendor": "Snort", "related.ip": [ - "10.182.199.231", - "10.24.67.250" + "10.24.67.250", + "10.182.199.231" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "oei", @@ -885,8 +885,8 @@ "observer.type": "IDS", "observer.vendor": "Snort", "related.ip": [ - "10.222.183.123", - "10.165.33.19" + "10.165.33.19", + "10.222.183.123" ], "rsa.internal.messageid": "MALWARE", "rsa.misc.checksum": "usan", @@ -925,8 +925,8 @@ "observer.vendor": "Snort", "observer.version": "1.890", "related.ip": [ - "10.238.223.171", - "10.52.190.18" + "10.52.190.18", + "10.238.223.171" ], "rsa.crypto.sig_type": "Finibus", "rsa.internal.messageid": "16539", @@ -975,8 +975,8 @@ "observer.vendor": "Snort", "observer.version": "1.3902", "related.ip": [ - "10.68.233.163", - "10.160.178.109" + "10.160.178.109", + "10.68.233.163" ], "rsa.crypto.sig_type": "ctobeat", "rsa.internal.messageid": "26992", @@ -1113,8 +1113,8 @@ "observer.vendor": "Snort", "observer.version": "1.6627", "related.ip": [ - "10.116.175.84", - "10.213.100.153" + "10.213.100.153", + "10.116.175.84" ], "rsa.crypto.sig_type": "exercit", "rsa.internal.messageid": "11634", @@ -1511,8 +1511,8 @@ "observer.type": "IDS", "observer.vendor": "Snort", "related.ip": [ - "10.201.132.114", - "10.140.209.249" + "10.140.209.249", + "10.201.132.114" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "lor", @@ -1593,8 +1593,8 @@ "observer.vendor": "Snort", "observer.version": "1.2633", "related.ip": [ - "10.198.44.231", - "10.36.122.169" + "10.36.122.169", + "10.198.44.231" ], "rsa.crypto.sig_type": "umquam", "rsa.internal.messageid": "13228", @@ -1645,8 +1645,8 @@ "observer.type": "IDS", "observer.vendor": "Snort", "related.ip": [ - "10.144.162.122", - "10.77.86.215" + "10.77.86.215", + "10.144.162.122" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "eav", @@ -1945,8 +1945,8 @@ "observer.vendor": "Snort", "observer.version": "1.2115", "related.ip": [ - "10.60.137.215", - "10.28.105.106" + "10.28.105.106", + "10.60.137.215" ], "rsa.crypto.sig_type": "tionu", "rsa.internal.messageid": "5155", @@ -2052,9 +2052,9 @@ "observer.type": "IDS", "observer.vendor": "Snort", "related.ip": [ - "10.20.167.114", - "10.49.190.163", "10.166.40.137", + "10.49.190.163", + "10.20.167.114", "10.65.144.119" ], "rsa.internal.event_desc": "Offloaded TCP Flow for connection", @@ -2096,8 +2096,8 @@ "observer.type": "IDS", "observer.vendor": "Snort", "related.ip": [ - "10.162.128.87", - "10.104.78.147" + "10.104.78.147", + "10.162.128.87" ], "rsa.internal.messageid": "MALWARE", "rsa.misc.checksum": "emu", @@ -2133,8 +2133,8 @@ "observer.type": "IDS", "observer.vendor": "Snort", "related.ip": [ - "10.237.43.87", - "10.82.180.46" + "10.82.180.46", + "10.237.43.87" ], "rsa.internal.messageid": "MALWARE", "rsa.misc.checksum": "oloremqu", @@ -2175,8 +2175,8 @@ "observer.vendor": "Snort", "observer.version": "1.4189", "related.ip": [ - "10.180.28.156", - "10.234.234.205" + "10.234.234.205", + "10.180.28.156" ], "rsa.crypto.sig_type": "mnihil", "rsa.internal.messageid": "5315", @@ -2257,8 +2257,8 @@ "observer.type": "IDS", "observer.vendor": "Snort", "related.ip": [ - "10.40.250.209", - "10.166.10.187" + "10.166.10.187", + "10.40.250.209" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "high-temUte", @@ -2334,8 +2334,8 @@ "observer.type": "IDS", "observer.vendor": "Snort", "related.ip": [ - "10.198.202.72", - "10.78.180.219" + "10.78.180.219", + "10.198.202.72" ], "rsa.internal.messageid": "MALWARE", "rsa.misc.checksum": "equaturv", @@ -2377,8 +2377,8 @@ "observer.vendor": "Snort", "observer.version": "1.2390", "related.ip": [ - "10.147.155.100", - "10.232.67.182" + "10.232.67.182", + "10.147.155.100" ], "rsa.crypto.sig_type": "eufugi", "rsa.internal.messageid": "26152", @@ -2609,8 +2609,8 @@ "observer.vendor": "Snort", "observer.version": "1.6298", "related.ip": [ - "10.231.10.63", - "10.38.22.60" + "10.38.22.60", + "10.231.10.63" ], "rsa.crypto.sig_type": "taliquip", "rsa.internal.messageid": "10329", @@ -2664,8 +2664,8 @@ "observer.type": "IDS", "observer.vendor": "Snort", "related.ip": [ - "10.46.57.181", - "10.29.231.11" + "10.29.231.11", + "10.46.57.181" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "remape", @@ -3371,8 +3371,8 @@ "observer.type": "IDS", "observer.vendor": "Snort", "related.ip": [ - "10.179.27.185", - "10.14.46.141" + "10.14.46.141", + "10.179.27.185" ], "rsa.internal.messageid": "MALWARE", "rsa.misc.checksum": "llumdolo", @@ -3539,10 +3539,10 @@ "observer.type": "IDS", "observer.vendor": "Snort", "related.ip": [ + "10.125.130.61", "10.118.103.185", - "10.32.195.34", "10.240.77.10", - "10.125.130.61" + "10.32.195.34" ], "rsa.internal.event_desc": "TCP Flow is no longer offloaded for connection", "rsa.internal.messageid": "FTD_events", @@ -3583,8 +3583,8 @@ "observer.type": "IDS", "observer.vendor": "Snort", "related.ip": [ - "10.188.88.133", - "10.111.130.177" + "10.111.130.177", + "10.188.88.133" ], "rsa.internal.messageid": "MALWARE", "rsa.misc.checksum": "numqu", diff --git a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml index 6811c4925e2..684fdedcd51 100644 --- a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml +++ b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml @@ -337,6 +337,7 @@ processors: field: related.hosts value: '{{url.domain}}' if: ctx.url?.domain != null + allow_duplicates: false - remove: field: - suricata.eve.app_proto diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json index ea74e1c3b31..83ab2f5f5b7 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json @@ -38,8 +38,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ntium", "rsa.misc.action": [ - "Blocked", - "pisciv" + "pisciv", + "Blocked" ], "rsa.misc.category": "umq", "rsa.misc.filter": "oremi", @@ -109,8 +109,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "luptat", "rsa.misc.action": [ - "Allowed", - "tur" + "tur", + "Allowed" ], "rsa.misc.category": "eius", "rsa.misc.filter": "ameaqu", @@ -167,8 +167,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.254.146.57", - "10.204.86.149" + "10.204.86.149", + "10.254.146.57" ], "related.user": [ "tenima" @@ -182,8 +182,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uptassi", "rsa.misc.action": [ - "giatq", - "Blocked" + "Blocked", + "giatq" ], "rsa.misc.category": "llu", "rsa.misc.filter": "tconsec", @@ -240,8 +240,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.252.125.53", - "10.103.246.190" + "10.103.246.190", + "10.252.125.53" ], "related.user": [ "equun" @@ -605,8 +605,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.25.192.202", - "10.78.151.178" + "10.78.151.178", + "10.25.192.202" ], "related.user": [ "quip" @@ -620,8 +620,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "atquovo", "rsa.misc.action": [ - "Allowed", - "amvolup" + "amvolup", + "Allowed" ], "rsa.misc.category": "hil", "rsa.misc.filter": "deFinibu", @@ -693,8 +693,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ihilm", "rsa.misc.action": [ - "Allowed", - "psaquae" + "psaquae", + "Allowed" ], "rsa.misc.category": "eFinib", "rsa.misc.filter": "inesci", @@ -824,8 +824,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.2.53.125", - "10.181.80.139" + "10.181.80.139", + "10.2.53.125" ], "related.user": [ "ihilmo" @@ -839,8 +839,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dolorem", "rsa.misc.action": [ - "Allowed", - "lorsitam" + "lorsitam", + "Allowed" ], "rsa.misc.category": "proide", "rsa.misc.filter": "pariatu", @@ -970,8 +970,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.0.55.9", - "10.135.160.125" + "10.135.160.125", + "10.0.55.9" ], "related.user": [ "volupta" @@ -1204,8 +1204,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "umdo", "rsa.misc.action": [ - "Blocked", - "orumSe" + "orumSe", + "Blocked" ], "rsa.misc.category": "tanimid", "rsa.misc.filter": "itam", @@ -1627,8 +1627,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.218.98.29", - "10.86.22.67" + "10.86.22.67", + "10.218.98.29" ], "related.user": [ "olori" @@ -1700,8 +1700,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.39.31.115", - "10.24.111.229" + "10.24.111.229", + "10.39.31.115" ], "related.user": [ "fugi" @@ -1715,8 +1715,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ulpa", "rsa.misc.action": [ - "gnaal", - "Allowed" + "Allowed", + "gnaal" ], "rsa.misc.category": "nte", "rsa.misc.filter": "pid", @@ -1861,8 +1861,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ntNeq", "rsa.misc.action": [ - "Blocked", - "dtempo" + "dtempo", + "Blocked" ], "rsa.misc.category": "ipsu", "rsa.misc.filter": "iqu", @@ -1919,8 +1919,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.238.224.49", - "10.130.241.232" + "10.130.241.232", + "10.238.224.49" ], "related.user": [ "onse" @@ -1992,8 +1992,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.115.53.31", - "10.2.67.127" + "10.2.67.127", + "10.115.53.31" ], "related.user": [ "Cic" @@ -2080,8 +2080,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tasun", "rsa.misc.action": [ - "quasiarc", - "Allowed" + "Allowed", + "quasiarc" ], "rsa.misc.category": "autfugi", "rsa.misc.filter": "ritqu", @@ -2138,8 +2138,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.101.85.169", - "10.18.226.72" + "10.18.226.72", + "10.101.85.169" ], "related.user": [ "rroqu" @@ -2153,8 +2153,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "moles", "rsa.misc.action": [ - "vitaed", - "Allowed" + "Allowed", + "vitaed" ], "rsa.misc.category": "billoi", "rsa.misc.filter": "suntex", @@ -2284,8 +2284,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.229.242.223", - "10.80.57.247" + "10.80.57.247", + "10.229.242.223" ], "related.user": [ "itasp" @@ -2372,8 +2372,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uteir", "rsa.misc.action": [ - "Section", - "Allowed" + "Allowed", + "Section" ], "rsa.misc.category": "cididu", "rsa.misc.filter": "Utenima", @@ -2430,8 +2430,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.54.159.1", - "10.236.230.136" + "10.236.230.136", + "10.54.159.1" ], "related.user": [ "mUteni" @@ -2518,8 +2518,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tvolup", "rsa.misc.action": [ - "Allowed", - "utemvel" + "utemvel", + "Allowed" ], "rsa.misc.category": "untutlab", "rsa.misc.filter": "dol", @@ -2591,8 +2591,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ende", "rsa.misc.action": [ - "doconse", - "Blocked" + "Blocked", + "doconse" ], "rsa.misc.category": "uovolupt", "rsa.misc.filter": "litesse", @@ -2664,8 +2664,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "issu", "rsa.misc.action": [ - "Allowed", - "sed" + "sed", + "Allowed" ], "rsa.misc.category": "atur", "rsa.misc.filter": "iciadese", @@ -2795,8 +2795,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.55.81.14", - "10.243.6.41" + "10.243.6.41", + "10.55.81.14" ], "related.user": [ "eiusmo" @@ -2810,8 +2810,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "idolores", "rsa.misc.action": [ - "Blocked", - "lestia" + "lestia", + "Blocked" ], "rsa.misc.category": "risni", "rsa.misc.filter": "emacc", @@ -2868,8 +2868,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.202.224.79", - "10.33.144.10" + "10.33.144.10", + "10.202.224.79" ], "related.user": [ "rios" @@ -2883,8 +2883,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lit", "rsa.misc.action": [ - "quu", - "Blocked" + "Blocked", + "quu" ], "rsa.misc.category": "oluptate", "rsa.misc.filter": "exercita", @@ -2941,8 +2941,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.20.124.138", - "10.158.18.51" + "10.158.18.51", + "10.20.124.138" ], "related.user": [ "CSe" @@ -2956,8 +2956,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Loremip", "rsa.misc.action": [ - "Allowed", - "quid" + "quid", + "Allowed" ], "rsa.misc.category": "mini", "rsa.misc.filter": "uisnos", @@ -3306,8 +3306,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.111.249.184", - "10.83.138.34" + "10.83.138.34", + "10.111.249.184" ], "related.user": [ "dentsunt" @@ -3379,8 +3379,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.180.150.47", - "10.141.195.13" + "10.141.195.13", + "10.180.150.47" ], "related.user": [ "taliq" @@ -3467,8 +3467,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mipsumq", "rsa.misc.action": [ - "citation", - "Allowed" + "Allowed", + "citation" ], "rsa.misc.category": "usant", "rsa.misc.filter": "Nem", @@ -3523,8 +3523,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.22.122.43", - "10.100.143.226" + "10.100.143.226", + "10.22.122.43" ], "related.user": [ "ute" @@ -3669,8 +3669,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.237.0.173", - "10.31.153.177" + "10.31.153.177", + "10.237.0.173" ], "related.user": [ "sci" @@ -3684,8 +3684,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "eritqui", "rsa.misc.action": [ - "Blocked", - "dolor" + "dolor", + "Blocked" ], "rsa.misc.category": "taspe", "rsa.misc.filter": "oremipsu", @@ -3755,8 +3755,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "epor", "rsa.misc.action": [ - "Allowed", - "etquasia" + "etquasia", + "Allowed" ], "rsa.misc.category": "iaturE", "rsa.misc.filter": "rep", @@ -3809,8 +3809,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.120.138.109", - "10.39.46.155" + "10.39.46.155", + "10.120.138.109" ], "related.user": [ "picia" @@ -3824,8 +3824,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "adipisc", "rsa.misc.action": [ - "Blocked", - "exer" + "exer", + "Blocked" ], "rsa.misc.category": "remagna", "rsa.misc.filter": "emvel", @@ -3882,8 +3882,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.53.191.49", - "10.133.102.57" + "10.133.102.57", + "10.53.191.49" ], "related.user": [ "onsec" @@ -3897,8 +3897,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ecillum", "rsa.misc.action": [ - "Blocked", - "emp" + "emp", + "Blocked" ], "rsa.misc.category": "ciati", "rsa.misc.filter": "elit", @@ -4043,8 +4043,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iadeseru", "rsa.misc.action": [ - "epreh", - "Allowed" + "Allowed", + "epreh" ], "rsa.misc.category": "ruredol", "rsa.misc.filter": "atquo", @@ -4101,8 +4101,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.178.148.188", - "10.155.252.123" + "10.155.252.123", + "10.178.148.188" ], "related.user": [ "inrepreh" @@ -4116,8 +4116,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "inimve", "rsa.misc.action": [ - "Allowed", - "niam" + "niam", + "Allowed" ], "rsa.misc.category": "perspici", "rsa.misc.filter": "uipe", @@ -4174,8 +4174,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.220.1.249", - "10.190.42.245" + "10.190.42.245", + "10.220.1.249" ], "related.user": [ "olup" @@ -4189,8 +4189,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uamquaer", "rsa.misc.action": [ - "aerat", - "Blocked" + "Blocked", + "aerat" ], "rsa.misc.category": "quela", "rsa.misc.filter": "qui", @@ -4245,8 +4245,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.112.190.154", - "10.55.38.153" + "10.55.38.153", + "10.112.190.154" ], "related.user": [ "oremeu" @@ -4475,8 +4475,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dipisc", "rsa.misc.action": [ - "Allowed", - "turad" + "turad", + "Allowed" ], "rsa.misc.category": "ulpaquio", "rsa.misc.filter": "ngelits", @@ -4533,8 +4533,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.120.215.174", - "10.248.108.55" + "10.248.108.55", + "10.120.215.174" ], "related.user": [ "prehend" @@ -4750,8 +4750,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.29.162.157", - "10.185.107.27" + "10.185.107.27", + "10.29.162.157" ], "related.user": [ "evelite" @@ -4765,8 +4765,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "orinrep", "rsa.misc.action": [ - "Blocked", - "squirat" + "squirat", + "Blocked" ], "rsa.misc.category": "sequa", "rsa.misc.filter": "orainci", @@ -4838,8 +4838,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "odita", "rsa.misc.action": [ - "Blocked", - "dqu" + "dqu", + "Blocked" ], "rsa.misc.category": "ipex", "rsa.misc.filter": "ine", @@ -4896,8 +4896,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.26.115.88", - "10.12.130.224" + "10.12.130.224", + "10.26.115.88" ], "related.user": [ "Nequepo" @@ -4911,8 +4911,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tNequepo", "rsa.misc.action": [ - "rmagnido", - "Allowed" + "Allowed", + "rmagnido" ], "rsa.misc.category": "luptatem", "rsa.misc.filter": "deritq", @@ -4969,8 +4969,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.91.20.27", - "10.193.152.42" + "10.193.152.42", + "10.91.20.27" ], "related.user": [ "edict" @@ -4984,8 +4984,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "plicab", "rsa.misc.action": [ - "Blocked", - "umq" + "umq", + "Blocked" ], "rsa.misc.category": "eruntmol", "rsa.misc.filter": "labore", @@ -5115,8 +5115,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.124.177.226", - "10.249.1.143" + "10.249.1.143", + "10.124.177.226" ], "related.user": [ "isciveli" @@ -5203,8 +5203,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ect", "rsa.misc.action": [ - "Blocked", - "maccu" + "maccu", + "Blocked" ], "rsa.misc.category": "iaecon", "rsa.misc.filter": "eni", @@ -5276,8 +5276,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "nde", "rsa.misc.action": [ - "Allowed", - "iqu" + "iqu", + "Allowed" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "ntincul", @@ -5349,8 +5349,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ereprehe", "rsa.misc.action": [ - "Blocked", - "tutl" + "tutl", + "Blocked" ], "rsa.misc.category": "mip", "rsa.misc.filter": "umSecti", @@ -5422,8 +5422,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "diconseq", "rsa.misc.action": [ - "Allowed", - "umet" + "umet", + "Allowed" ], "rsa.misc.category": "ciad", "rsa.misc.filter": "oeiusmod", @@ -5480,8 +5480,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.209.203.156", - "10.110.16.169" + "10.110.16.169", + "10.209.203.156" ], "related.user": [ "mes" @@ -5553,8 +5553,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.84.9.150", - "10.107.68.114" + "10.107.68.114", + "10.84.9.150" ], "related.user": [ "sequatDu" @@ -5568,8 +5568,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "omnis", "rsa.misc.action": [ - "Allowed", - "uianonnu" + "uianonnu", + "Allowed" ], "rsa.misc.category": "Excepteu", "rsa.misc.filter": "enimadmi", @@ -5626,8 +5626,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.26.222.144", - "10.124.119.48" + "10.124.119.48", + "10.26.222.144" ], "related.user": [ "nre" @@ -5772,8 +5772,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.14.37.8", - "10.121.181.243" + "10.121.181.243", + "10.14.37.8" ], "related.user": [ "umwr" @@ -5918,8 +5918,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.77.102.206", - "10.34.98.144" + "10.34.98.144", + "10.77.102.206" ], "related.user": [ "tectobe" @@ -5933,8 +5933,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Exce", "rsa.misc.action": [ - "ulapa", - "Allowed" + "Allowed", + "ulapa" ], "rsa.misc.category": "reprehen", "rsa.misc.filter": "itsedqui", @@ -6064,8 +6064,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.149.6.107", - "10.236.55.236" + "10.236.55.236", + "10.149.6.107" ], "related.user": [ "redolo" @@ -6079,8 +6079,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uis", "rsa.misc.action": [ - "mvele", - "Allowed" + "Allowed", + "mvele" ], "rsa.misc.category": "vitaedi", "rsa.misc.filter": "ndeomni", @@ -6210,8 +6210,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.230.61.102", - "10.141.66.163" + "10.141.66.163", + "10.230.61.102" ], "related.user": [ "umdolo" @@ -6225,8 +6225,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "itautf", "rsa.misc.action": [ - "mini", - "Blocked" + "Blocked", + "mini" ], "rsa.misc.category": "gna", "rsa.misc.filter": "usmo", @@ -6283,8 +6283,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.224.249.228", - "10.10.25.145" + "10.10.25.145", + "10.224.249.228" ], "related.user": [ "mnisiuta" @@ -6444,8 +6444,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ilmoles", "rsa.misc.action": [ - "tatisetq", - "Blocked" + "Blocked", + "tatisetq" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "liquide", @@ -6517,8 +6517,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "proid", "rsa.misc.action": [ - "Allowed", - "onevolu" + "onevolu", + "Allowed" ], "rsa.misc.category": "iratio", "rsa.misc.filter": "odita", @@ -6571,8 +6571,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.138.193.38", - "10.46.71.46" + "10.46.71.46", + "10.138.193.38" ], "related.user": [ "sintocca" @@ -6586,8 +6586,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "upta", "rsa.misc.action": [ - "Allowed", - "uovolup" + "uovolup", + "Allowed" ], "rsa.misc.category": "todit", "rsa.misc.filter": "atisetq", @@ -6640,8 +6640,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.254.119.31", - "10.172.159.251" + "10.172.159.251", + "10.254.119.31" ], "related.user": [ "usm" @@ -6713,8 +6713,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.195.62.230", - "10.98.126.206" + "10.98.126.206", + "10.195.62.230" ], "related.user": [ "ptassit" @@ -6786,8 +6786,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.84.140.5", - "10.144.93.186" + "10.144.93.186", + "10.84.140.5" ], "related.user": [ "eroi" @@ -6801,8 +6801,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ntut", "rsa.misc.action": [ - "Blocked", - "nima" + "nima", + "Blocked" ], "rsa.misc.category": "boru", "rsa.misc.filter": "umquia", @@ -6932,8 +6932,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.139.90.218", - "10.131.81.172" + "10.131.81.172", + "10.139.90.218" ], "related.user": [ "hende" @@ -7005,8 +7005,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.128.43.71", - "10.152.217.174" + "10.152.217.174", + "10.128.43.71" ], "related.user": [ "mquiado" @@ -7020,8 +7020,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "olupt", "rsa.misc.action": [ - "temvele", - "Blocked" + "Blocked", + "temvele" ], "rsa.misc.category": "natuser", "rsa.misc.filter": "amnihil", @@ -7078,8 +7078,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.26.149.221", - "10.217.193.148" + "10.217.193.148", + "10.26.149.221" ], "related.user": [ "uisa" @@ -7093,8 +7093,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tionemu", "rsa.misc.action": [ - "Blocked", - "rehe" + "rehe", + "Blocked" ], "rsa.misc.category": "aecons", "rsa.misc.filter": "aturve", @@ -7239,8 +7239,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "exeacomm", "rsa.misc.action": [ - "Blocked", - "volup" + "volup", + "Blocked" ], "rsa.misc.category": "ten", "rsa.misc.filter": "ssecil", From 4c9c95445b8e3fc7421c0f17c6e2141f31fe540c Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Mon, 21 Sep 2020 10:37:06 +0200 Subject: [PATCH 08/10] Add related.hosts to rsa2elk modules --- .../barracuda/spamfirewall/config/input.yml | 2 +- .../spamfirewall/ingest/pipeline.yml | 10 + .../test/generated.log-expected.json | 91 ++- .../module/barracuda/waf/config/input.yml | 2 +- .../module/bluecoat/director/config/input.yml | 2 +- .../bluecoat/director/ingest/pipeline.yml | 5 + .../director/test/generated.log-expected.json | 21 + .../module/citrix/netscaler/config/input.yml | 2 +- .../citrix/netscaler/ingest/pipeline.yml | 5 + .../test/generated.log-expected.json | 62 +- .../module/cyberark/corepas/config/input.yml | 2 +- .../cyberark/corepas/ingest/pipeline.yml | 10 + .../corepas/test/generated.log-expected.json | 588 ++++++++----- .../module/cylance/protect/config/input.yml | 2 +- .../cylance/protect/ingest/pipeline.yml | 5 + .../protect/test/generated.log-expected.json | 243 ++++++ .../module/f5/bigipafm/config/input.yml | 2 +- .../module/f5/bigipafm/ingest/pipeline.yml | 5 + .../bigipafm/test/generated.log-expected.json | 696 +++++++++++----- .../module/f5/bigipapm/config/input.yml | 2 +- .../module/f5/bigipapm/ingest/pipeline.yml | 5 + .../bigipapm/test/generated.log-expected.json | 17 +- .../fortinet/clientendpoint/config/input.yml | 2 +- .../clientendpoint/ingest/pipeline.yml | 10 + .../test/generated.log-expected.json | 560 +++++++++++-- .../fortinet/fortimail/config/input.yml | 2 +- .../fortinet/fortimail/ingest/pipeline.yml | 5 + .../test/generated.log-expected.json | 31 +- .../fortinet/fortimanager/config/input.yml | 2 +- .../fortinet/fortimanager/ingest/pipeline.yml | 5 + .../test/generated.log-expected.json | 509 ++++++++---- .../imperva/securesphere/config/input.yml | 2 +- .../imperva/securesphere/ingest/pipeline.yml | 5 + .../test/generated.log-expected.json | 772 ++++++++++++------ .../module/infoblox/nios/config/input.yml | 2 +- .../module/infoblox/nios/ingest/pipeline.yml | 10 + .../nios/test/generated.log-expected.json | 284 +++++++ .../module/juniper/junos/config/input.yml | 2 +- .../module/juniper/junos/ingest/pipeline.yml | 10 + .../module/juniper/netscreen/config/input.yml | 2 +- .../module/microsoft/dhcp/config/input.yml | 2 +- .../module/microsoft/dhcp/ingest/pipeline.yml | 10 + .../dhcp/test/generated.log-expected.json | 300 +++++++ .../netscout/sightline/config/input.yml | 2 +- .../proofpoint/emailsecurity/config/input.yml | 2 +- .../emailsecurity/ingest/pipeline.yml | 10 + .../test/generated.log-expected.json | 24 + .../radware/defensepro/config/input.yml | 2 +- .../module/snort/log/config/input.yml | 2 +- .../module/snort/log/ingest/pipeline.yml | 5 + .../log/test/generated.log-expected.json | 370 ++++++++- .../sonicwall/firewall/config/input.yml | 2 +- .../sonicwall/firewall/ingest/pipeline.yml | 20 + .../firewall/test/generated.log-expected.json | 89 +- .../module/sophos/utm/config/input.yml | 2 +- .../module/sophos/utm/ingest/pipeline.yml | 10 + .../utm/test/generated.log-expected.json | 279 ++++++- .../module/squid/log/config/input.yml | 2 +- .../module/squid/log/ingest/pipeline.yml | 10 + .../squid/log/test/access1.log-expected.json | 644 +++++++++++---- .../endpointprotection/config/input.yml | 2 +- .../endpointprotection/ingest/pipeline.yml | 20 + .../test/generated.log-expected.json | 337 +++++++- .../module/tomcat/log/config/input.yml | 2 +- .../module/tomcat/log/ingest/pipeline.yml | 15 + .../log/test/generated.log-expected.json | 495 +++++++++++ .../module/zscaler/zia/config/input.yml | 2 +- .../module/zscaler/zia/ingest/pipeline.yml | 10 + .../zia/test/generated.log-expected.json | 700 +++++++++++----- .../zscaler/zia/test/test.log-expected.json | 3 + 70 files changed, 5878 insertions(+), 1489 deletions(-) diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml b/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml index c93494c2dbb..cdafe4ebde0 100644 --- a/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml +++ b/x-pack/filebeat/module/barracuda/spamfirewall/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml b/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml index 67018925f0f..b2c3414c4e7 100644 --- a/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml @@ -53,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{url.domain}}' + if: ctx?.url?.domain != null + allow_duplicates: false + - append: + field: related.hosts + value: '{{server.domain}}' + if: ctx?.server?.domain != null + allow_duplicates: false on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json b/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json index 247344bdbfe..c442d44c377 100644 --- a/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json @@ -46,6 +46,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "etdo" + ], "related.ip": [ "10.173.228.223" ], @@ -256,6 +259,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "tempor" + ], "related.ip": [ "10.138.137.28" ], @@ -296,6 +302,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "ari" + ], "related.ip": [ "10.108.180.105" ], @@ -337,6 +346,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "" + ], "related.ip": [ "10.206.159.177" ], @@ -422,6 +434,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "aveniam" + ], "related.ip": [ "10.82.201.113" ], @@ -484,8 +499,8 @@ "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", "related.ip": [ - "10.110.109.5", - "10.18.165.35" + "10.18.165.35", + "10.110.109.5" ], "rsa.internal.messageid": "outbound/smtp", "rsa.investigations.event_cat": 1901000000, @@ -518,6 +533,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "dolore" + ], "related.ip": [ "10.195.109.134" ], @@ -857,6 +875,10 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "hitect", + "lit5929.test" + ], "related.ip": [ "10.198.6.166" ], @@ -937,6 +959,10 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "equat", + "uptat3156.www5.test" + ], "related.ip": [ "10.77.137.72" ], @@ -980,6 +1006,10 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "vitaedi", + "neav6028.internal.domain" + ], "related.ip": [ "10.128.114.77" ], @@ -1118,6 +1148,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "" + ], "related.ip": [ "10.153.108.27" ], @@ -1225,6 +1258,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "olupta" + ], "related.ip": [ "10.98.92.244" ], @@ -1423,6 +1459,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "tquov" + ], "related.ip": [ "10.211.93.62" ], @@ -1480,6 +1519,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "qui" + ], "related.ip": [ "10.199.182.123" ], @@ -1584,6 +1626,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "" + ], "related.ip": [ "10.153.152.219" ], @@ -1788,6 +1833,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "" + ], "related.ip": [ "10.103.69.44" ], @@ -1824,6 +1872,10 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "aveni", + "oremagna3521.mail.home" + ], "related.ip": [ "10.29.155.171" ], @@ -1867,6 +1919,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "" + ], "related.ip": [ "10.145.193.93" ], @@ -1979,6 +2034,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "" + ], "related.ip": [ "10.141.225.182" ], @@ -2509,6 +2567,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "obeataev" + ], "related.ip": [ "10.139.127.232" ], @@ -2550,6 +2611,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "inv" + ], "related.ip": [ "10.163.209.70" ], @@ -2654,6 +2718,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "" + ], "related.ip": [ "10.157.196.101" ], @@ -2719,6 +2786,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "eritatis" + ], "related.ip": [ "10.209.184.60" ], @@ -2818,6 +2888,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "plic" + ], "related.ip": [ "10.17.87.79" ], @@ -2933,6 +3006,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "taedi" + ], "related.ip": [ "10.17.98.243" ], @@ -3100,8 +3176,8 @@ "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", "related.ip": [ - "10.1.6.115", - "10.178.30.158" + "10.178.30.158", + "10.1.6.115" ], "rsa.internal.messageid": "outbound/smtp", "rsa.investigations.event_cat": 1901000000, @@ -3209,6 +3285,10 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "der", + "piciatis2460.api.host" + ], "related.ip": [ "10.77.182.191" ], @@ -3251,6 +3331,9 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", + "related.hosts": [ + "iame" + ], "related.ip": [ "10.193.110.71" ], diff --git a/x-pack/filebeat/module/barracuda/waf/config/input.yml b/x-pack/filebeat/module/barracuda/waf/config/input.yml index 30e0d5f2745..d90859f5f61 100644 --- a/x-pack/filebeat/module/barracuda/waf/config/input.yml +++ b/x-pack/filebeat/module/barracuda/waf/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/bluecoat/director/config/input.yml b/x-pack/filebeat/module/bluecoat/director/config/input.yml index 7fc587fb028..3e7d940acf9 100644 --- a/x-pack/filebeat/module/bluecoat/director/config/input.yml +++ b/x-pack/filebeat/module/bluecoat/director/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml b/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml index 9d462241ae8..3840746722c 100644 --- a/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml +++ b/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml @@ -53,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json b/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json index 94a001da91a..1d0de305beb 100644 --- a/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json +++ b/x-pack/filebeat/module/bluecoat/director/test/generated.log-expected.json @@ -247,6 +247,9 @@ "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", + "related.hosts": [ + "seq3874.mail.domain" + ], "rsa.internal.messageid": "dmd", "rsa.misc.change_new": "fug", "rsa.misc.change_old": "quid", @@ -988,6 +991,9 @@ "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", + "related.hosts": [ + "elitse6672.internal.localdomain" + ], "rsa.db.index": "mquisno", "rsa.internal.event_desc": "info on device connection", "rsa.internal.messageid": "ccd", @@ -1218,6 +1224,9 @@ "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", + "related.hosts": [ + "itation4168.api.domain" + ], "rsa.db.index": "dipisci", "rsa.internal.event_desc": "This file is automatically generated", "rsa.internal.messageid": "configd", @@ -1569,6 +1578,9 @@ "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", + "related.hosts": [ + "sBonor2001.www5.example" + ], "rsa.internal.messageid": "dmd", "rsa.misc.client": "dmd:", "rsa.misc.severity": "medium", @@ -1639,6 +1651,9 @@ "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", + "related.hosts": [ + "ersp6625.internal.domain" + ], "rsa.internal.messageid": "dmd", "rsa.misc.client": "dmd:", "rsa.misc.severity": "high", @@ -1754,6 +1769,9 @@ "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", + "related.hosts": [ + "eleumiu2454.api.local" + ], "rsa.db.index": "tat", "rsa.internal.event_desc": "info on device connection", "rsa.internal.messageid": "ccd", @@ -1866,6 +1884,9 @@ "observer.product": "Director", "observer.type": "Configuration", "observer.vendor": "Bluecoat", + "related.hosts": [ + "olu5333.www.domain" + ], "rsa.db.index": "orumSe", "rsa.internal.event_desc": "info on device connection", "rsa.internal.messageid": "ccd", diff --git a/x-pack/filebeat/module/citrix/netscaler/config/input.yml b/x-pack/filebeat/module/citrix/netscaler/config/input.yml index 1226056cf17..42bba0c0995 100644 --- a/x-pack/filebeat/module/citrix/netscaler/config/input.yml +++ b/x-pack/filebeat/module/citrix/netscaler/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/citrix/netscaler/ingest/pipeline.yml b/x-pack/filebeat/module/citrix/netscaler/ingest/pipeline.yml index 51c9ebaf329..ffb1d2e3374 100644 --- a/x-pack/filebeat/module/citrix/netscaler/ingest/pipeline.yml +++ b/x-pack/filebeat/module/citrix/netscaler/ingest/pipeline.yml @@ -53,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{server.domain}}' + allow_duplicates: false + if: ctx?.server?.domain != null on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json b/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json index 861edae9b88..cb772d91268 100644 --- a/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json +++ b/x-pack/filebeat/module/citrix/netscaler/test/generated.log-expected.json @@ -144,8 +144,8 @@ "rsa.db.index": "undeo", "rsa.internal.messageid": "APPFW_COOKIE", "rsa.misc.action": [ - "cancel", - "iumto" + "iumto", + "cancel" ], "rsa.misc.policy_name": "isqu", "rsa.misc.rule": "uaera", @@ -186,8 +186,8 @@ "related.ip": [ "10.96.119.12", "10.21.92.218", - "10.109.68.21", "10.83.234.60", + "10.109.68.21", "10.156.210.168" ], "related.user": [ @@ -570,6 +570,9 @@ "observer.product": "Netscaler", "observer.type": "Firewall", "observer.vendor": "Citrix", + "related.hosts": [ + "tor4410.api.localhost" + ], "related.ip": [ "10.206.87.219" ], @@ -808,8 +811,8 @@ "rsa.db.index": "uidol", "rsa.internal.messageid": "APPFW_COOKIE", "rsa.misc.action": [ - "cancel", - "tincu" + "tincu", + "cancel" ], "rsa.misc.policy_name": "aec", "rsa.misc.rule": "rQu", @@ -989,8 +992,8 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.248.165.185", - "10.32.39.220" + "10.32.39.220", + "10.248.165.185" ], "related.user": [ "exeaco" @@ -1025,9 +1028,9 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.197.6.245", "10.81.45.174", - "10.82.28.220" + "10.82.28.220", + "10.197.6.245" ], "related.user": [ "agnaaliq" @@ -1454,8 +1457,8 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.101.172.233", - "10.211.163.7" + "10.211.163.7", + "10.101.172.233" ], "related.user": [ "est" @@ -1884,8 +1887,8 @@ "rsa.db.index": "orem", "rsa.internal.messageid": "APPFW_FIELDCONSISTENCY", "rsa.misc.action": [ - "tesse", - "allow" + "allow", + "tesse" ], "rsa.misc.policy_name": "rsi", "rsa.misc.rule": "ntutlab", @@ -2081,9 +2084,9 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.80.5.101", + "10.225.146.5", "10.41.65.89", - "10.225.146.5" + "10.80.5.101" ], "related.user": [ "picia" @@ -2475,8 +2478,8 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.187.86.64", - "10.197.128.162" + "10.197.128.162", + "10.187.86.64" ], "rsa.internal.messageid": "ICA_SESSION_UPDATE", "rsa.misc.msgIdPart1": "ICA", @@ -2544,8 +2547,8 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.204.20.8", - "10.43.239.97" + "10.43.239.97", + "10.204.20.8" ], "rsa.internal.messageid": "ICA_SESSION_UPDATE", "rsa.misc.msgIdPart1": "ICA", @@ -2581,11 +2584,11 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.8.82.22", + "10.148.244.55", "10.133.153.174", - "10.76.129.136", + "10.8.82.22", "10.113.135.78", - "10.148.244.55" + "10.76.129.136" ], "related.user": [ "asiar" @@ -2697,8 +2700,8 @@ "rsa.db.index": "iat", "rsa.internal.messageid": "AF_MALFORMED_REQ_ERR", "rsa.misc.action": [ - "ati", - "block" + "block", + "ati" ], "rsa.misc.policy_name": "llu", "rsa.misc.rule": "etd", @@ -2730,9 +2733,9 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.213.112.186", "10.215.229.78", - "10.67.233.159" + "10.67.233.159", + "10.213.112.186" ], "related.user": [ "emquiav" @@ -2842,8 +2845,8 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "related.ip": [ - "10.96.104.212", - "10.73.45.19" + "10.73.45.19", + "10.96.104.212" ], "rsa.internal.messageid": "ICA_SESSION_UPDATE", "rsa.misc.msgIdPart1": "ICA", @@ -3032,6 +3035,9 @@ "observer.type": "Firewall", "observer.vendor": "Citrix", "observer.version": "1.897", + "related.hosts": [ + "hend1170.www5.lan" + ], "related.ip": [ "10.111.22.134" ], diff --git a/x-pack/filebeat/module/cyberark/corepas/config/input.yml b/x-pack/filebeat/module/cyberark/corepas/config/input.yml index 4a0d6359c63..4b34d80711b 100644 --- a/x-pack/filebeat/module/cyberark/corepas/config/input.yml +++ b/x-pack/filebeat/module/cyberark/corepas/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml b/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml index dafb265af35..600d733a297 100644 --- a/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml @@ -53,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.hostname server.domain}}' + allow_duplicates: false + if: ctx?.host?.hostname != null + - append: + field: related.hosts + value: '{{server.domain}}' + allow_duplicates: false + if: ctx?.server?.domain != null on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json b/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json index e62f472e5c4..2bf31b06a52 100644 --- a/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cyberark/corepas/test/generated.log-expected.json @@ -20,9 +20,9 @@ "10.208.15.216" ], "related.user": [ - "utl", "quasiarc", - "itv" + "itv", + "utl" ], "rsa.db.index": "nes", "rsa.internal.event_desc": "pexe", @@ -63,14 +63,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.259", + "related.hosts": [ + "iatnu3810.mail.localdomain" + ], "related.ip": [ - "10.175.75.18", - "10.92.136.230" + "10.92.136.230", + "10.175.75.18" ], "related.user": [ - "dolore", + "nnumqu", "orev", - "nnumqu" + "dolore" ], "rsa.db.database": "umdo", "rsa.db.index": "vol", @@ -123,14 +126,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.7269", + "related.hosts": [ + "anti4454.api.example" + ], "related.ip": [ "10.51.132.10", "10.46.185.46" ], "related.user": [ + "incid", "nse", - "serror", - "incid" + "serror" ], "rsa.db.database": "byC", "rsa.db.index": "tur", @@ -183,13 +189,16 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.6713", + "related.hosts": [ + "uam6303.api.lan" + ], "related.ip": [ - "10.53.192.140", - "10.155.236.240" + "10.155.236.240", + "10.53.192.140" ], "related.user": [ - "ptass", "psumquia", + "ptass", "atcup" ], "rsa.db.database": "aperi", @@ -244,9 +253,9 @@ "10.81.199.122" ], "related.user": [ - "eos", "oremips", - "giatq" + "giatq", + "eos" ], "rsa.db.index": "tempo", "rsa.internal.event_desc": "uian", @@ -287,13 +296,16 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3491", + "related.hosts": [ + "temq1198.internal.example" + ], "related.ip": [ - "10.172.14.142", - "10.139.186.201" + "10.139.186.201", + "10.172.14.142" ], "related.user": [ - "aboris", "tcupida", + "aboris", "uam" ], "rsa.db.database": "isiu", @@ -347,14 +359,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.6875", + "related.hosts": [ + "tenbyCic5882.api.home" + ], "related.ip": [ - "10.47.76.251", - "10.104.111.129" + "10.104.111.129", + "10.47.76.251" ], "related.user": [ - "ipis", + "ele", "etconsec", - "ele" + "ipis" ], "rsa.db.database": "riat", "rsa.db.index": "umdolor", @@ -408,9 +423,9 @@ "10.116.120.216" ], "related.user": [ - "quiratio", "umdo", - "animi" + "animi", + "quiratio" ], "rsa.db.index": "oll", "rsa.internal.event_desc": "rumet", @@ -451,14 +466,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.5529", + "related.hosts": [ + "isqu7224.localdomain" + ], "related.ip": [ - "10.62.54.220", - "10.57.40.29" + "10.57.40.29", + "10.62.54.220" ], "related.user": [ - "rnatura", + "taevi", "psum", - "taevi" + "rnatura" ], "rsa.db.database": "emeumfug", "rsa.db.index": "omn", @@ -512,8 +530,8 @@ "10.74.237.180" ], "related.user": [ - "ema", "tnon", + "ema", "cup" ], "rsa.db.index": "remeumf", @@ -556,9 +574,9 @@ "10.18.165.35" ], "related.user": [ + "modocons", "remeum", - "lor", - "modocons" + "lor" ], "rsa.db.index": "etM", "rsa.internal.event_desc": "etc", @@ -600,9 +618,9 @@ "10.74.253.127" ], "related.user": [ - "onproide", + "icab", "tema", - "icab" + "onproide" ], "rsa.db.index": "mqui", "rsa.internal.event_desc": "eomnisis", @@ -642,9 +660,12 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.1697", + "related.hosts": [ + "tlabo6088.www.localdomain" + ], "related.ip": [ - "10.189.109.245", - "10.92.8.15" + "10.92.8.15", + "10.189.109.245" ], "related.user": [ "inima", @@ -701,9 +722,9 @@ "10.21.78.128" ], "related.user": [ - "giatquov", "upt", - "taut" + "taut", + "giatquov" ], "rsa.db.index": "iadese", "rsa.internal.event_desc": "deFinibu", @@ -745,9 +766,9 @@ "10.18.109.121" ], "related.user": [ - "tatn", "pida", - "hil" + "hil", + "tatn" ], "rsa.db.index": "quip", "rsa.internal.event_desc": "ecillu", @@ -788,14 +809,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3727", + "related.hosts": [ + "iavolu5352.localhost" + ], "related.ip": [ "10.63.37.192", "10.225.115.13" ], "related.user": [ - "equep", "iunt", - "reetd" + "reetd", + "equep" ], "rsa.db.database": "aliqu", "rsa.db.index": "mipsumd", @@ -848,13 +872,16 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3219", + "related.hosts": [ + "estiae3750.api.corp" + ], "related.ip": [ "10.47.202.102", "10.95.64.124" ], "related.user": [ - "ice", "run", + "ice", "ntor" ], "rsa.db.database": "ite", @@ -907,13 +934,16 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.6371", + "related.hosts": [ + "aquaeabi7735.internal.lan" + ], "related.ip": [ - "10.106.239.55", - "10.244.114.61" + "10.244.114.61", + "10.106.239.55" ], "related.user": [ - "serunt", - "itquiin" + "itquiin", + "serunt" ], "rsa.db.database": "itame", "rsa.db.index": "oluptas", @@ -965,13 +995,16 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.821", + "related.hosts": [ + "etMalor4236.www5.host" + ], "related.ip": [ - "10.125.160.129", - "10.53.168.235" + "10.53.168.235", + "10.125.160.129" ], "related.user": [ - "one", "abi", + "one", "ione" ], "rsa.db.database": "sperna", @@ -1025,14 +1058,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.1123", + "related.hosts": [ + "quioffi1359.internal.lan" + ], "related.ip": [ "10.33.245.220", "10.227.177.121" ], "related.user": [ - "tasuntex", "iduntu", - "liqui" + "liqui", + "tasuntex" ], "rsa.db.database": "rvel", "rsa.db.index": "onsecte", @@ -1088,13 +1124,17 @@ "observer.version": "1.5071", "process.name": "laboree.exe", "process.pid": 6501, + "related.hosts": [ + "", + "nsecte3304.mail.corp" + ], "related.ip": [ - "10.167.85.181", - "10.98.182.220" + "10.98.182.220", + "10.167.85.181" ], "related.user": [ - "econs", - "fde" + "fde", + "econs" ], "rsa.db.database": "equat", "rsa.internal.event_desc": "orpor", @@ -1149,9 +1189,9 @@ "10.89.208.95" ], "related.user": [ - "iciadese", "icabo", - "sintoc" + "sintoc", + "iciadese" ], "rsa.db.index": "eni", "rsa.internal.event_desc": "rcitati", @@ -1192,14 +1232,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.509", + "related.hosts": [ + "nevo4284.internal.local" + ], "related.ip": [ "10.72.148.32", "10.214.191.180" ], "related.user": [ + "tDuisaut", "luptatev", - "uteirure", - "tDuisaut" + "uteirure" ], "rsa.db.database": "uamest", "rsa.db.index": "uae", @@ -1252,14 +1295,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3599", + "related.hosts": [ + "itas981.mail.domain" + ], "related.ip": [ - "10.136.190.236", - "10.252.124.150" + "10.252.124.150", + "10.136.190.236" ], "related.user": [ + "ipsumd", "litessec", - "com", - "ipsumd" + "com" ], "rsa.db.database": "tasn", "rsa.db.index": "squirati", @@ -1312,14 +1358,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.5649", + "related.hosts": [ + "tnonpro7635.localdomain" + ], "related.ip": [ - "10.213.144.249", - "10.192.34.76" + "10.192.34.76", + "10.213.144.249" ], "related.user": [ "lore", - "iquipe", - "temqu" + "temqu", + "iquipe" ], "rsa.db.database": "gnamal", "rsa.db.index": "ntexplic", @@ -1371,13 +1420,16 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.2217", + "related.hosts": [ + "rQuisau5300.www5.example" + ], "related.ip": [ "10.154.4.197", "10.216.84.30" ], "related.user": [ - "intoc", - "untu" + "untu", + "intoc" ], "rsa.db.database": "oditem", "rsa.db.index": "borios", @@ -1430,9 +1482,9 @@ "10.143.193.199" ], "related.user": [ - "niamqui", "tqu", - "quid" + "quid", + "niamqui" ], "rsa.db.index": "inci", "rsa.internal.event_desc": "eroinBCS", @@ -1473,13 +1525,16 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.5632", + "related.hosts": [ + "uamei2389.internal.example" + ], "related.ip": [ - "10.193.83.81", - "10.65.175.9" + "10.65.175.9", + "10.193.83.81" ], "related.user": [ - "ritatise", "umqu", + "ritatise", "essequam" ], "rsa.db.database": "ender", @@ -1534,9 +1589,9 @@ "10.205.72.243" ], "related.user": [ - "tatn", "umdolo", - "isiuta" + "isiuta", + "tatn" ], "rsa.db.index": "proide", "rsa.internal.event_desc": "ameiusm", @@ -1578,9 +1633,9 @@ "10.107.9.163" ], "related.user": [ + "mquisno", "sit", - "mac", - "mquisno" + "mac" ], "rsa.db.index": "sit", "rsa.internal.event_desc": "tdol", @@ -1665,14 +1720,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.267", + "related.hosts": [ + "miurerep1152.internal.domain" + ], "related.ip": [ - "10.39.10.155", - "10.235.136.109" + "10.235.136.109", + "10.39.10.155" ], "related.user": [ "aboreetd", - "ptass", - "urExcept" + "urExcept", + "ptass" ], "rsa.db.database": "teirured", "rsa.db.index": "dolorem", @@ -1726,8 +1784,8 @@ "10.96.224.19" ], "related.user": [ - "ibusBon", "itation", + "ibusBon", "doloreme" ], "rsa.db.index": "oremipsu", @@ -1771,8 +1829,8 @@ ], "related.user": [ "reseo", - "moenimi", - "aec" + "aec", + "moenimi" ], "rsa.db.index": "mac", "rsa.internal.event_desc": "quamest", @@ -1813,14 +1871,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3804", + "related.hosts": [ + "rum5798.home" + ], "related.ip": [ - "10.226.20.199", - "10.226.101.180" + "10.226.101.180", + "10.226.20.199" ], "related.user": [ "rationev", - "ritt", - "veniamqu" + "veniamqu", + "ritt" ], "rsa.db.database": "conse", "rsa.db.index": "imveniam", @@ -1874,9 +1935,12 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.1493", + "related.hosts": [ + "nisiut3624.api.example" + ], "related.ip": [ - "10.134.65.15", - "10.86.22.67" + "10.86.22.67", + "10.134.65.15" ], "related.user": [ "quaUten", @@ -1938,9 +2002,9 @@ "10.70.147.120" ], "related.user": [ - "cidunt", "tten", - "emqu" + "emqu", + "cidunt" ], "rsa.db.index": "eaqu", "rsa.internal.event_desc": "quidol", @@ -1981,13 +2045,16 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.6255", + "related.hosts": [ + "tesse1089.www.host" + ], "related.ip": [ "10.178.242.100", "10.24.111.229" ], "related.user": [ - "dqu", "loi", + "dqu", "idid" ], "rsa.db.database": "tenatuse", @@ -2042,9 +2109,9 @@ "10.211.179.168" ], "related.user": [ - "untincul", "ritati", - "mmodoc" + "mmodoc", + "untincul" ], "rsa.db.index": "emvele", "rsa.internal.event_desc": "oluptas", @@ -2086,9 +2153,9 @@ "10.30.243.163" ], "related.user": [ - "illu", + "mven", "dolore", - "mven" + "illu" ], "rsa.db.index": "idol", "rsa.internal.event_desc": "lore", @@ -2129,14 +2196,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.1844", + "related.hosts": [ + "dictasun3878.internal.localhost" + ], "related.ip": [ - "10.6.79.159", - "10.212.214.4" + "10.212.214.4", + "10.6.79.159" ], "related.user": [ - "amvo", + "midestl", "quid", - "midestl" + "amvo" ], "rsa.db.database": "urExce", "rsa.db.index": "ectiono", @@ -2189,14 +2259,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3546", + "related.hosts": [ + "aecatcup2241.www5.test" + ], "related.ip": [ - "10.70.147.46", - "10.237.170.202" + "10.237.170.202", + "10.70.147.46" ], "related.user": [ + "liquide", "atDu", - "rcit", - "liquide" + "rcit" ], "rsa.db.database": "taedict", "rsa.db.index": "loremeu", @@ -2249,14 +2322,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.4282", + "related.hosts": [ + "mad5185.www5.localhost" + ], "related.ip": [ "10.228.118.81", "10.179.50.138" ], "related.user": [ - "tatemU", + "emoe", "itasper", - "emoe" + "tatemU" ], "rsa.db.database": "toditaut", "rsa.db.index": "ugit", @@ -2309,14 +2385,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3806", + "related.hosts": [ + "esseq7889.www.invalid" + ], "related.ip": [ "10.49.71.118", "10.234.165.130" ], "related.user": [ + "emip", "iuntNequ", - "henderit", - "emip" + "henderit" ], "rsa.db.database": "veniamqu", "rsa.db.index": "atquo", @@ -2371,8 +2450,8 @@ ], "related.user": [ "turadipi", - "olorema", - "emip" + "emip", + "olorema" ], "rsa.db.index": "ataevi", "rsa.internal.event_desc": "minim", @@ -2414,8 +2493,8 @@ "10.193.219.34" ], "related.user": [ - "utlabo", "uamei", + "utlabo", "olorem" ], "rsa.db.index": "nse", @@ -2457,14 +2536,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.7083", + "related.hosts": [ + "tem6815.home" + ], "related.ip": [ - "10.120.167.217", - "10.174.185.109" + "10.174.185.109", + "10.120.167.217" ], "related.user": [ - "rsp", + "animid", "dolorem", - "animid" + "rsp" ], "rsa.db.database": "tsuntinc", "rsa.db.index": "quovo", @@ -2517,14 +2599,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.1432", + "related.hosts": [ + "mporainc2064.home" + ], "related.ip": [ - "10.141.213.219", - "10.117.137.159" + "10.117.137.159", + "10.141.213.219" ], "related.user": [ - "atev", + "accusa", "ate", - "accusa" + "atev" ], "rsa.db.database": "nibus", "rsa.db.index": "ser", @@ -2577,6 +2662,9 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.4043", + "related.hosts": [ + "caboNem1043.internal.home" + ], "related.ip": [ "10.166.90.130", "10.94.224.229" @@ -2639,14 +2727,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.2456", + "related.hosts": [ + "tatio6513.www.invalid" + ], "related.ip": [ - "10.38.28.151", - "10.201.81.46" + "10.201.81.46", + "10.38.28.151" ], "related.user": [ "tiumto", - "mipsumqu", - "incidid" + "incidid", + "mipsumqu" ], "rsa.db.database": "abor", "rsa.db.index": "adol", @@ -2701,14 +2792,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.2721", + "related.hosts": [ + "dolori6232.api.invalid" + ], "related.ip": [ "10.255.28.56", "10.214.245.95" ], "related.user": [ "umdolors", - "rerepre", - "uptatem" + "uptatem", + "rerepre" ], "rsa.db.database": "odt", "rsa.db.index": "riosa", @@ -2762,9 +2856,9 @@ "10.45.35.180" ], "related.user": [ - "qui", + "mip", "Utenima", - "mip" + "qui" ], "rsa.db.index": "boree", "rsa.internal.event_desc": "uteir", @@ -2806,8 +2900,8 @@ "10.141.200.133" ], "related.user": [ - "iame", "enim", + "iame", "ess" ], "rsa.db.index": "nofdeFi", @@ -2850,8 +2944,8 @@ "10.83.238.145" ], "related.user": [ - "illoi", "ugi", + "illoi", "runtmo" ], "rsa.db.index": "eetdo", @@ -2893,14 +2987,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3147", + "related.hosts": [ + "mestq2106.api.host" + ], "related.ip": [ - "10.39.143.155", - "10.41.89.217" + "10.41.89.217", + "10.39.143.155" ], "related.user": [ - "sedquiac", "tem", - "tperspic" + "tperspic", + "sedquiac" ], "rsa.db.database": "radipis", "rsa.db.index": "nse", @@ -2953,14 +3050,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.6382", + "related.hosts": [ + "lors7553.api.local" + ], "related.ip": [ - "10.5.5.1", - "10.153.123.20" + "10.153.123.20", + "10.5.5.1" ], "related.user": [ "minim", - "CSe", - "unt" + "unt", + "CSe" ], "rsa.db.database": "atu", "rsa.db.index": "roi", @@ -3013,14 +3113,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3193", + "related.hosts": [ + "olu5333.www.domain" + ], "related.ip": [ - "10.210.61.109", - "10.168.132.175" + "10.168.132.175", + "10.210.61.109" ], "related.user": [ + "giatquov", "iamea", - "eursinto", - "giatquov" + "eursinto" ], "rsa.db.database": "ici", "rsa.db.index": "iquaUt", @@ -3074,9 +3177,9 @@ "10.123.154.17" ], "related.user": [ - "quiac", + "dolorsi", "lmo", - "dolorsi" + "quiac" ], "rsa.db.index": "idunt", "rsa.internal.event_desc": "usantiu", @@ -3119,9 +3222,9 @@ "10.169.123.103" ], "related.user": [ + "oeni", "etquasia", - "xplic", - "oeni" + "xplic" ], "rsa.db.index": "hend", "rsa.internal.event_desc": "piscivel", @@ -3167,8 +3270,8 @@ "10.126.205.76" ], "related.user": [ - "iati", "rsitvol", + "iati", "Nemoenim" ], "rsa.db.index": "eFini", @@ -3210,14 +3313,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3184", + "related.hosts": [ + "fic5107.home" + ], "related.ip": [ "10.169.101.161", "10.164.66.154" ], "related.user": [ "orissu", - "ine", - "eufug" + "eufug", + "ine" ], "rsa.db.database": "stquidol", "rsa.db.index": "imadmini", @@ -3271,9 +3377,9 @@ "10.70.83.200" ], "related.user": [ - "metco", "ihilmole", - "riat" + "riat", + "metco" ], "rsa.db.index": "urQuis", "rsa.internal.event_desc": "iutaliq", @@ -3314,13 +3420,16 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.4887", + "related.hosts": [ + "onpr47.api.home" + ], "related.ip": [ "10.207.97.192", "10.134.55.11" ], "related.user": [ - "mmod", "tanimid", + "mmod", "madminim" ], "rsa.db.database": "tetura", @@ -3374,14 +3483,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3601", + "related.hosts": [ + "rehen4859.api.host" + ], "related.ip": [ "10.31.187.19", "10.52.150.104" ], "related.user": [ - "oinBCSed", + "texplica", "eritq", - "texplica" + "oinBCSed" ], "rsa.db.database": "lit", "rsa.db.index": "ritati", @@ -3434,14 +3546,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3175", + "related.hosts": [ + "eufugia4481.corp" + ], "related.ip": [ "10.41.232.147", "10.61.175.217" ], "related.user": [ - "runtm", "ntexpl", - "tat" + "tat", + "runtm" ], "rsa.db.database": "rere", "rsa.db.index": "nonn", @@ -3539,9 +3654,9 @@ "10.98.71.45" ], "related.user": [ - "onse", + "CSe", "fugitse", - "CSe" + "onse" ], "rsa.db.index": "Dui", "rsa.internal.event_desc": "isci", @@ -3584,8 +3699,8 @@ ], "related.user": [ "remq", - "nonn", - "rspic" + "rspic", + "nonn" ], "rsa.db.index": "nre", "rsa.internal.event_desc": "tev", @@ -3627,9 +3742,9 @@ "10.197.203.167" ], "related.user": [ - "eserun", "uta", - "iumdo" + "iumdo", + "eserun" ], "rsa.db.index": "smo", "rsa.internal.event_desc": "olesti", @@ -3672,8 +3787,8 @@ ], "related.user": [ "sectetu", - "ibusBo", - "enima" + "enima", + "ibusBo" ], "rsa.db.index": "uido", "rsa.internal.event_desc": "lab", @@ -3714,14 +3829,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3824", + "related.hosts": [ + "involu1450.www.localhost" + ], "related.ip": [ "10.250.248.215", "10.123.62.215" ], "related.user": [ - "tinculpa", "aevitaed", - "quaeratv" + "quaeratv", + "tinculpa" ], "rsa.db.database": "lica", "rsa.db.index": "uisnos", @@ -3773,13 +3891,16 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3759", + "related.hosts": [ + "osa3211.www5.example" + ], "related.ip": [ "10.147.154.118", "10.146.57.23" ], "related.user": [ - "isiutali", - "tateveli" + "tateveli", + "isiutali" ], "rsa.db.database": "cin", "rsa.db.index": "onofdeF", @@ -3964,9 +4085,9 @@ "10.178.160.245" ], "related.user": [ - "fdeFinib", "turQuis", - "olupta" + "olupta", + "fdeFinib" ], "rsa.db.index": "rsint", "rsa.internal.event_desc": "odico", @@ -4007,14 +4128,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.6648", + "related.hosts": [ + "tatemac5192.www5.test" + ], "related.ip": [ "10.85.13.237", "10.89.154.115" ], "related.user": [ - "luptat", + "emeu", "Nem", - "emeu" + "luptat" ], "rsa.db.database": "nturmag", "rsa.db.index": "maliqua", @@ -4067,14 +4191,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3387", + "related.hosts": [ + "nimve2787.mail.test" + ], "related.ip": [ "10.222.32.183", "10.65.207.234" ], "related.user": [ - "eve", "itame", - "eruntmo" + "eruntmo", + "eve" ], "rsa.db.database": "udexerc", "rsa.db.index": "volup", @@ -4172,9 +4299,9 @@ "10.91.213.82" ], "related.user": [ + "illoin", "amnis", - "uianon", - "illoin" + "uianon" ], "rsa.db.index": "ons", "rsa.internal.event_desc": "temaccus", @@ -4216,9 +4343,9 @@ "10.204.214.98" ], "related.user": [ - "porissus", "tdolo", - "eprehe" + "eprehe", + "porissus" ], "rsa.db.index": "abo", "rsa.internal.event_desc": "ecte", @@ -4260,9 +4387,9 @@ "10.223.178.192" ], "related.user": [ - "evel", + "etc", "moenimip", - "etc" + "evel" ], "rsa.db.index": "iarchit", "rsa.internal.event_desc": "apari", @@ -4303,9 +4430,12 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.801", + "related.hosts": [ + "ama6820.mail.example" + ], "related.ip": [ - "10.26.137.126", - "10.26.33.181" + "10.26.33.181", + "10.26.137.126" ], "related.user": [ "audant", @@ -4363,14 +4493,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.10", + "related.hosts": [ + "olupt966.www5.corp" + ], "related.ip": [ - "10.148.195.208", - "10.142.161.116" + "10.142.161.116", + "10.148.195.208" ], "related.user": [ "mpori", - "quaerat", - "isi" + "isi", + "quaerat" ], "rsa.db.database": "squamest", "rsa.db.index": "pteu", @@ -4423,13 +4556,16 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.1026", + "related.hosts": [ + "lit4112.www.localhost" + ], "related.ip": [ - "10.107.24.54", - "10.10.174.253" + "10.10.174.253", + "10.107.24.54" ], "related.user": [ - "uptasn", "hend", + "uptasn", "itinvo" ], "rsa.db.database": "lup", @@ -4485,9 +4621,9 @@ "10.87.92.17" ], "related.user": [ - "eeufug", "tamr", - "luptate" + "luptate", + "eeufug" ], "rsa.db.index": "oreeufug", "rsa.internal.event_desc": "ura", @@ -4532,14 +4668,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.5649", + "related.hosts": [ + "dictasun3408.internal.invalid" + ], "related.ip": [ "10.161.51.135", "10.231.51.136" ], "related.user": [ - "accus", + "Finibus", "asper", - "Finibus" + "accus" ], "rsa.db.database": "litani", "rsa.db.index": "arch", @@ -4594,8 +4733,8 @@ ], "related.user": [ "mquido", - "itten", - "llum" + "llum", + "itten" ], "rsa.db.index": "uscipit", "rsa.internal.event_desc": "llitani", @@ -4637,9 +4776,9 @@ "10.108.123.148" ], "related.user": [ + "cusa", "mmodicon", - "ollita", - "cusa" + "ollita" ], "rsa.db.index": "ercitati", "rsa.internal.event_desc": "pteurs", @@ -4681,6 +4820,9 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.425", + "related.hosts": [ + "uidol6868.mail.localdomain" + ], "related.ip": [ "10.114.0.148", "10.198.187.144" @@ -4746,9 +4888,9 @@ "10.61.140.120" ], "related.user": [ - "equa", + "naaliq", "loru", - "naaliq" + "equa" ], "rsa.db.index": "umfugiat", "rsa.internal.event_desc": "ora", @@ -4789,14 +4931,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.6988", + "related.hosts": [ + "ptat4878.lan" + ], "related.ip": [ "10.149.238.108", "10.93.24.151" ], "related.user": [ "sequamn", - "nven", - "ite" + "ite", + "nven" ], "rsa.db.database": "fugi", "rsa.db.index": "nesciu", @@ -4850,9 +4995,9 @@ "10.101.45.225" ], "related.user": [ - "uinesc", + "cipitla", "emi", - "cipitla" + "uinesc" ], "rsa.db.index": "caecat", "rsa.internal.event_desc": "tsunt", @@ -4895,8 +5040,8 @@ "10.2.204.161" ], "related.user": [ - "ore", "quela", + "ore", "eumfugia" ], "rsa.db.index": "olup", @@ -4943,9 +5088,9 @@ "10.33.112.100" ], "related.user": [ - "enimad", "ptatemse", - "aliqu" + "aliqu", + "enimad" ], "rsa.db.index": "Except", "rsa.internal.event_desc": "cons", @@ -4986,14 +5131,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.3175", + "related.hosts": [ + "isno4595.local" + ], "related.ip": [ - "10.94.152.238", - "10.151.110.250" + "10.151.110.250", + "10.94.152.238" ], "related.user": [ - "pidatatn", + "tla", "neavol", - "tla" + "pidatatn" ], "rsa.db.database": "itaedict", "rsa.db.index": "onemull", @@ -5046,14 +5194,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.4965", + "related.hosts": [ + "tatemse5403.home" + ], "related.ip": [ "10.146.61.5", "10.77.9.17" ], "related.user": [ - "alorumwr", + "tevel", "umS", - "tevel" + "alorumwr" ], "rsa.db.database": "amremap", "rsa.db.index": "aqu", @@ -5107,9 +5258,9 @@ "10.128.102.130" ], "related.user": [ - "sequatu", "que", - "ore" + "ore", + "sequatu" ], "rsa.db.index": "exerci", "rsa.internal.event_desc": "olu", @@ -5150,14 +5301,17 @@ "observer.type": "Access", "observer.vendor": "Cyberark", "observer.version": "1.7701", + "related.hosts": [ + "reprehe650.www.corp" + ], "related.ip": [ - "10.31.86.83", - "10.200.162.248" + "10.200.162.248", + "10.31.86.83" ], "related.user": [ + "onnu", "reseo", - "doloremi", - "onnu" + "doloremi" ], "rsa.db.database": "billo", "rsa.db.index": "ectetura", diff --git a/x-pack/filebeat/module/cylance/protect/config/input.yml b/x-pack/filebeat/module/cylance/protect/config/input.yml index fc90f92344c..28123fafd35 100644 --- a/x-pack/filebeat/module/cylance/protect/config/input.yml +++ b/x-pack/filebeat/module/cylance/protect/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml b/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml index 4df5148c770..182c4a85c19 100644 --- a/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml @@ -53,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json index aeb8dfcbd46..4f73edba010 100644 --- a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json @@ -12,6 +12,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "nostrud4819.mail.test" + ], "rsa.identity.firstname": "uii", "rsa.identity.lastname": "umexe", "rsa.internal.messageid": "CylancePROTECT", @@ -44,6 +47,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "volup208.invalid" + ], "rsa.identity.firstname": "luptat", "rsa.identity.lastname": "isiutal", "rsa.internal.messageid": "CylancePROTECT", @@ -75,6 +81,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "eius6159.www5.localhost" + ], "rsa.db.index": "temvel", "rsa.identity.firstname": "lupt", "rsa.identity.lastname": "tia", @@ -106,6 +115,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "ratvolup497.www.corp" + ], "rsa.db.index": "ommodic", "rsa.identity.firstname": "mipsu", "rsa.identity.lastname": "consec", @@ -137,6 +149,9 @@ "observer.product": "taliqu", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "tatno5625.api.local" + ], "rsa.identity.firstname": "tur", "rsa.identity.lastname": "aperi", "rsa.internal.messageid": "CylancePROTECT", @@ -170,6 +185,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "maveniam1399.mail.lan" + ], "related.ip": [ "10.124.61.119" ], @@ -211,6 +229,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "nimadmin6499.local" + ], "rsa.db.index": "lorem", "rsa.identity.firstname": "urerep", "rsa.identity.lastname": "aquaeab", @@ -242,6 +263,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "suntinc4934.www5.test" + ], "rsa.identity.firstname": "dmi", "rsa.identity.lastname": "olab", "rsa.internal.messageid": "CylancePROTECT", @@ -277,6 +301,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.2344", + "related.hosts": [ + "reetdolo2451.www.example" + ], "related.user": [ "usan" ], @@ -310,6 +337,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "uis7612.www5.domain" + ], "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", @@ -337,6 +367,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "admi3749.api.lan" + ], "rsa.db.index": "nimadmin", "rsa.identity.firstname": "iqui", "rsa.identity.lastname": "etc", @@ -371,6 +404,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.5383", + "related.hosts": [ + "rudexerc703.internal.host" + ], "related.user": [ "isaute" ], @@ -444,6 +480,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "estqu1709.internal.example" + ], "related.ip": [ "10.64.70.5" ], @@ -484,6 +523,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "xeac7155.www.localdomain" + ], "related.ip": [ "10.143.239.210" ], @@ -527,6 +569,9 @@ "observer.vendor": "Cylance", "process.name": "aliqu.exe", "process.pid": 2289, + "related.hosts": [ + "maccusa5126.api.domain" + ], "related.ip": [ "10.32.143.134" ], @@ -570,6 +615,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "llu4718.localhost" + ], "rsa.db.index": "psaquae", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -629,6 +677,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "eaq908.api.home" + ], "rsa.db.index": "equat", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -661,6 +712,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.4129", + "related.hosts": [ + "mcolab379.internal.home" + ], "related.user": [ "fdeFi" ], @@ -733,6 +787,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "sciun4694.api.lan" + ], "rsa.db.index": "enderit", "rsa.identity.firstname": "idata", "rsa.identity.lastname": "rumwritt", @@ -764,6 +821,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "mni7200.mail.localdomain" + ], "rsa.db.index": "uisau", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -821,6 +881,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.3212", + "related.hosts": [ + "ntoccae1705.internal.invalid" + ], "related.user": [ "aperiame" ], @@ -854,6 +917,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "etconsec6708.internal.invalid" + ], "rsa.db.index": "mquame", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1502030000, @@ -884,6 +950,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "Sedutp7428.internal.home" + ], "rsa.db.index": "iquipe", "rsa.identity.firstname": "upida", "rsa.identity.lastname": "tvolupt", @@ -916,6 +985,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "ati4639.www5.home" + ], "rsa.identity.firstname": "con", "rsa.identity.lastname": "nisist", "rsa.internal.messageid": "CylancePROTECT", @@ -947,6 +1019,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "torever662.www5.home" + ], "rsa.db.index": "The Device: pexe was auto assigned to the Zone: IP Address: 10.70.168.240", "rsa.identity.firstname": "amcol", "rsa.identity.lastname": "adeser", @@ -978,6 +1053,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "emeumfug4387.internal.lan" + ], "rsa.identity.firstname": "ccaeca", "rsa.identity.lastname": "niamq", "rsa.internal.messageid": "CylancePROTECT", @@ -1010,6 +1088,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "rumwrit764.www5.local" + ], "rsa.db.index": "miu", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1804020000, @@ -1072,6 +1153,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "oremi1485.api.localhost" + ], "rsa.identity.firstname": "atisund", "rsa.identity.lastname": "xea", "rsa.internal.messageid": "CylancePROTECT", @@ -1104,6 +1188,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "periam126.api.host" + ], "rsa.crypto.sig_type": "rExc", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -1135,6 +1222,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "tate6578.api.localdomain" + ], "related.ip": [ "10.252.165.146" ], @@ -1175,6 +1265,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "midestl1919.host" + ], "related.ip": [ "10.124.88.222" ], @@ -1215,6 +1308,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "eiusmod3517.internal.invalid" + ], "rsa.identity.firstname": "dol", "rsa.identity.lastname": "sciun", "rsa.internal.messageid": "CylancePROTECT", @@ -1248,6 +1344,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "ntexpl3889.www.home" + ], "related.ip": [ "10.156.34.19" ], @@ -1290,6 +1389,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "ntium4450.www5.localdomain" + ], "related.ip": [ "10.22.94.10" ], @@ -1330,6 +1432,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "erspi5757.local" + ], "rsa.db.index": "undeomni", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1401060000, @@ -1424,6 +1529,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "magnid3343.home" + ], "rsa.db.index": "obea", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -1454,6 +1562,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "asperna7623.www.home" + ], "rsa.identity.firstname": "onproide", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -1486,6 +1597,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.3421", + "related.hosts": [ + "undeom845.www5.example" + ], "related.user": [ "tassita" ], @@ -1548,6 +1662,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "ons5050.mail.test" + ], "related.ip": [ "10.48.209.115" ], @@ -1588,6 +1705,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "oloreeu7597.mail.home" + ], "related.ip": [ "10.7.99.47" ], @@ -1628,6 +1748,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "ueip5847.api.test" + ], "rsa.crypto.sig_type": "Nemoenim", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1804010000, @@ -1660,6 +1783,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.989", + "related.hosts": [ + "uid3520.www.home" + ], "related.user": [ "ici" ], @@ -1745,6 +1871,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "teir7585.www5.localdomain" + ], "rsa.identity.firstname": "scip", "rsa.identity.lastname": "Finibus", "rsa.internal.messageid": "CylancePROTECT", @@ -1831,6 +1960,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "serrorsi1096.www5.localdomain" + ], "rsa.db.index": "The Device: reetdo was auto assigned to the Zone: IP Address: Fake Devices", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -1860,6 +1992,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "prehen4807.mail.invalid" + ], "rsa.db.index": "meum", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1600000000, @@ -1890,6 +2025,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "sit1400.www.lan" + ], "rsa.db.index": "ntsunti", "rsa.identity.firstname": "uid", "rsa.identity.lastname": "idatat", @@ -1922,6 +2060,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "sectetu7182.localdomain" + ], "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1804010000, "rsa.investigations.event_cat_name": "Network.Devices.Additions", @@ -1949,6 +2090,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "officiad4982.www5.domain" + ], "rsa.identity.firstname": "etdolore", "rsa.identity.lastname": "magnaa", "rsa.internal.messageid": "CylancePROTECT", @@ -1980,6 +2124,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "consequa1486.internal.localdomain" + ], "rsa.crypto.sig_type": "quaeratv", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -2010,6 +2157,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "its6443.mail.example" + ], "related.ip": [ "10.139.80.71" ], @@ -2053,6 +2203,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "tconsec7604.corp" + ], "related.ip": [ "10.223.246.244" ], @@ -2092,6 +2245,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "tuser2694.internal.invalid" + ], "rsa.identity.firstname": "natus", "rsa.identity.lastname": "boreet", "rsa.internal.messageid": "CylancePROTECT", @@ -2124,6 +2280,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "gnaaliq5240.api.test" + ], "rsa.crypto.sig_type": "ratvo", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -2153,6 +2312,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "illum2625.test" + ], "rsa.crypto.sig_type": "iaeconse", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1401060000, @@ -2182,6 +2344,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "nulamc5617.mail.host" + ], "related.ip": [ "10.134.137.205" ], @@ -2221,6 +2386,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "tatem4713.internal.host" + ], "rsa.db.index": "usci", "rsa.identity.firstname": "lupta", "rsa.identity.lastname": "ura", @@ -2254,6 +2422,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "ugits5961.www5.local" + ], "related.ip": [ "10.91.2.225" ], @@ -2297,6 +2468,9 @@ "observer.vendor": "Cylance", "process.name": "nimadmi.exe", "process.pid": 601, + "related.hosts": [ + "prehende5460.mail.localdomain" + ], "related.ip": [ "10.191.99.14" ], @@ -2340,6 +2514,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "velites1745.api.corp" + ], "rsa.db.index": "lor", "rsa.identity.firstname": "naaliq", "rsa.identity.lastname": "plica", @@ -2373,6 +2550,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "Duis583.api.local" + ], "rsa.crypto.sig_type": "dminim", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1401060000, @@ -2404,6 +2584,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.2478", + "related.hosts": [ + "velitess2401.www.lan" + ], "rsa.db.index": "dolo", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -2434,6 +2617,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "sequines3991.mail.local" + ], "rsa.identity.firstname": "sequines", "rsa.identity.lastname": "minimve", "rsa.internal.messageid": "CylancePROTECT", @@ -2470,6 +2656,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "iatquo2815.mail.host" + ], "related.ip": [ "10.181.215.164" ], @@ -2537,6 +2726,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "issusci7005.mail.host" + ], "rsa.db.index": "tiumtot", "rsa.identity.firstname": "ecillumd", "rsa.identity.lastname": "iumto", @@ -2571,6 +2763,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "umq7428.invalid" + ], "related.ip": [ "10.164.59.219" ], @@ -2639,6 +2834,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "epteurs5503.www5.home" + ], "related.ip": [ "10.1.193.187" ], @@ -2707,6 +2905,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "omnisis5339.www5.local" + ], "rsa.db.index": "deom, Device Id: tiumdo, Policy Name: rautod", "rsa.internal.messageid": "CylancePROTECT", "rsa.investigations.event_cat": 1901000000, @@ -2737,6 +2938,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "ction491.www5.local" + ], "rsa.identity.firstname": "imveniam", "rsa.identity.lastname": "sunte", "rsa.internal.messageid": "CylancePROTECT", @@ -2769,6 +2973,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "undeom7847.api.corp" + ], "related.ip": [ "10.146.228.234" ], @@ -2810,6 +3017,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "dolo6230.mail.invalid" + ], "related.ip": [ "10.59.232.97" ], @@ -2845,6 +3055,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "nvolup6280.api.home" + ], "rsa.identity.firstname": "dantium", "rsa.identity.lastname": "ors", "rsa.internal.messageid": "CylancePROTECT", @@ -2877,6 +3090,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "urautodi3892.www5.example" + ], "rsa.db.index": "nibu", "rsa.identity.firstname": "mdolo", "rsa.identity.lastname": "nof", @@ -2952,6 +3168,9 @@ "observer.vendor": "Cylance", "process.name": "oluptat.exe", "process.pid": 4608, + "related.hosts": [ + "uraut3756.www5.test" + ], "related.ip": [ "10.127.30.119" ], @@ -2995,6 +3214,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "squ2213.www.test" + ], "rsa.db.index": "rExce", "rsa.identity.firstname": "rinc", "rsa.identity.lastname": "tno", @@ -3056,6 +3278,9 @@ "observer.vendor": "Cylance", "process.name": "ngelitse.exe", "process.pid": 4190, + "related.hosts": [ + "umet5891.api.localdomain" + ], "related.ip": [ "10.8.150.213" ], @@ -3099,6 +3324,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "umquam5574.internal.test" + ], "related.ip": [ "10.108.59.10" ], @@ -3134,6 +3362,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "volupt6822.api.invalid" + ], "rsa.identity.firstname": "qui", "rsa.identity.lastname": "epteurs", "rsa.internal.messageid": "CylancePROTECT", @@ -3224,6 +3455,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Cylance", "observer.version": "1.3237", + "related.hosts": [ + "amvol4075.mail.localhost" + ], "related.user": [ "pta" ], @@ -3257,6 +3491,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "asi4651.api.test" + ], "rsa.db.index": "ssecill", "rsa.identity.firstname": "officiad", "rsa.identity.lastname": "veniam", @@ -3288,6 +3525,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "perna6751.internal.home" + ], "related.ip": [ "10.138.85.233" ], @@ -3323,6 +3563,9 @@ "observer.product": "Protect", "observer.type": "Anti-Virus", "observer.vendor": "Cylance", + "related.hosts": [ + "evolupta7790.internal.local" + ], "rsa.db.index": "rehe", "rsa.identity.firstname": "tam", "rsa.identity.lastname": "deser", diff --git a/x-pack/filebeat/module/f5/bigipafm/config/input.yml b/x-pack/filebeat/module/f5/bigipafm/config/input.yml index e17540ff041..e4c79ac07c5 100644 --- a/x-pack/filebeat/module/f5/bigipafm/config/input.yml +++ b/x-pack/filebeat/module/f5/bigipafm/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml b/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml index 5df41d6ec6f..1a25fa92e38 100644 --- a/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml +++ b/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml @@ -53,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json index a366e228e25..d1729062282 100644 --- a/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/bigipafm/test/generated.log-expected.json @@ -20,11 +20,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2262", + "related.hosts": [ + "tatemac3541.api.corp" + ], "related.ip": [ - "10.11.196.142", - "10.208.121.85", "10.165.201.71", - "10.228.193.207" + "10.228.193.207", + "10.11.196.142", + "10.208.121.85" ], "related.user": [ "billoi" @@ -85,11 +88,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.445", + "related.hosts": [ + "enatus2114.mail.home" + ], "related.ip": [ - "10.92.202.200", - "10.162.9.235", "10.51.132.10", - "10.94.67.230" + "10.162.9.235", + "10.94.67.230", + "10.92.202.200" ], "related.user": [ "byC" @@ -150,6 +156,9 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.4726", + "related.hosts": [ + "gelit6728.api.invalid" + ], "related.ip": [ "10.122.116.161", "10.209.155.149", @@ -214,11 +223,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2696", + "related.hosts": [ + "uid545.www5.localhost" + ], "related.ip": [ "10.12.44.169", + "10.202.66.28", "10.50.112.141", - "10.131.233.27", - "10.202.66.28" + "10.131.233.27" ], "related.user": [ "elits" @@ -279,11 +291,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3341", + "related.hosts": [ + "emquiavo452.internal.localhost" + ], "related.ip": [ + "10.159.182.171", "10.151.111.38", - "10.206.197.113", "10.96.35.212", - "10.159.182.171" + "10.206.197.113" ], "related.user": [ "mol" @@ -344,11 +359,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.6179", + "related.hosts": [ + "sun1403.www.invalid" + ], "related.ip": [ - "10.169.144.147", - "10.89.163.114", + "10.126.177.162", "10.213.113.28", - "10.126.177.162" + "10.169.144.147", + "10.89.163.114" ], "related.user": [ "ist" @@ -408,11 +426,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.6316", + "related.hosts": [ + "ittenbyC7838.api.localdomain" + ], "related.ip": [ "10.101.223.43", - "10.146.88.52", + "10.18.124.28", "10.103.107.47", - "10.18.124.28" + "10.146.88.52" ], "related.user": [ "rudexerc" @@ -473,9 +494,12 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3768", + "related.hosts": [ + "ume465.corp" + ], "related.ip": [ - "10.189.109.245", "10.150.220.75", + "10.189.109.245", "10.69.57.206", "10.110.99.17" ], @@ -537,11 +561,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2299", + "related.hosts": [ + "iciatisu1463.www5.localdomain" + ], "related.ip": [ - "10.19.194.101", - "10.153.136.222", "10.199.34.241", - "10.121.219.204" + "10.121.219.204", + "10.153.136.222", + "10.19.194.101" ], "related.user": [ "temveleu" @@ -601,10 +628,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.4138", + "related.hosts": [ + "aliqu6801.api.localdomain" + ], "related.ip": [ + "10.57.103.192", "10.64.141.105", "10.46.27.57", - "10.57.103.192", "10.182.199.231" ], "related.user": [ @@ -665,11 +695,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.7410", + "related.hosts": [ + "itame189.domain" + ], "related.ip": [ "10.32.67.231", - "10.164.6.207", "10.3.134.237", - "10.160.210.31" + "10.160.210.31", + "10.164.6.207" ], "related.user": [ "pic" @@ -730,11 +763,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3545", + "related.hosts": [ + "tsedqu2456.www5.invalid" + ], "related.ip": [ "10.42.138.192", + "10.201.6.10", "10.235.101.253", - "10.182.178.217", - "10.201.6.10" + "10.182.178.217" ], "related.user": [ "giatnu" @@ -795,11 +831,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3795", + "related.hosts": [ + "stlabo1228.mail.host" + ], "related.ip": [ - "10.151.161.70", "10.86.101.235", - "10.22.102.198", - "10.194.247.171" + "10.194.247.171", + "10.151.161.70", + "10.22.102.198" ], "related.user": [ "nse" @@ -860,11 +899,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.4901", + "related.hosts": [ + "ecte4762.local" + ], "related.ip": [ - "10.167.172.155", "10.174.252.105", + "10.204.35.15", "10.107.168.60", - "10.204.35.15" + "10.167.172.155" ], "related.user": [ "mnisi" @@ -924,11 +966,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3427", + "related.hosts": [ + "smo7167.www.test" + ], "related.ip": [ + "10.99.249.210", "10.182.191.174", - "10.214.249.164", "10.81.26.208", - "10.99.249.210" + "10.214.249.164" ], "related.user": [ "upta" @@ -988,11 +1033,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.1766", + "related.hosts": [ + "sauteiru4554.api.domain" + ], "related.ip": [ - "10.101.226.128", "10.88.101.53", "10.201.238.90", - "10.220.5.143" + "10.220.5.143", + "10.101.226.128" ], "related.user": [ "porro" @@ -1052,11 +1100,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.7491", + "related.hosts": [ + "untut4046.internal.domain" + ], "related.ip": [ - "10.30.133.66", - "10.157.18.252", "10.243.218.215", - "10.217.150.196" + "10.217.150.196", + "10.157.18.252", + "10.30.133.66" ], "related.user": [ "evit" @@ -1116,10 +1167,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.752", + "related.hosts": [ + "quid3147.mail.home" + ], "related.ip": [ + "10.167.227.44", "10.181.133.187", "10.148.161.250", - "10.167.227.44", "10.66.181.6" ], "related.user": [ @@ -1181,9 +1235,12 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.5663", + "related.hosts": [ + "umdolo1029.mail.localhost" + ], "related.ip": [ - "10.54.17.32", "10.74.11.43", + "10.54.17.32", "10.84.163.178", "10.107.9.163" ], @@ -1245,11 +1302,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.5726", + "related.hosts": [ + "lorsita2019.internal.home" + ], "related.ip": [ "10.230.129.252", - "10.112.32.213", "10.184.73.211", - "10.192.229.221" + "10.192.229.221", + "10.112.32.213" ], "related.user": [ "odi" @@ -1310,11 +1370,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.1721", + "related.hosts": [ + "paquioff624.mail.invalid" + ], "related.ip": [ "10.161.148.64", - "10.198.213.189", + "10.199.216.143", "10.7.200.140", - "10.199.216.143" + "10.198.213.189" ], "related.user": [ "ccaeca" @@ -1374,11 +1437,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.1000", + "related.hosts": [ + "mex2054.mail.corp" + ], "related.ip": [ - "10.128.157.27", - "10.65.232.27", "10.206.96.56", - "10.22.187.69" + "10.22.187.69", + "10.128.157.27", + "10.65.232.27" ], "related.user": [ "uaeab" @@ -1438,11 +1504,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3104", + "related.hosts": [ + "avolupt7576.api.corp" + ], "related.ip": [ - "10.71.114.14", "10.194.210.62", "10.68.253.120", - "10.183.130.225" + "10.183.130.225", + "10.71.114.14" ], "related.user": [ "admin" @@ -1503,11 +1572,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.341", + "related.hosts": [ + "loi7596.www5.home" + ], "related.ip": [ - "10.107.45.175", + "10.47.255.237", "10.45.253.103", - "10.31.177.226", - "10.47.255.237" + "10.107.45.175", + "10.31.177.226" ], "related.user": [ "remagn" @@ -1568,11 +1640,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.1607", + "related.hosts": [ + "nsequat1971.internal.invalid" + ], "related.ip": [ - "10.225.212.189", "10.44.58.106", "10.55.105.113", - "10.213.94.135" + "10.213.94.135", + "10.225.212.189" ], "related.user": [ "dquia" @@ -1632,11 +1707,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.51", + "related.hosts": [ + "ectiono2241.lan" + ], "related.ip": [ - "10.163.209.70", - "10.2.114.9", "10.255.74.136", - "10.69.161.78" + "10.69.161.78", + "10.163.209.70", + "10.2.114.9" ], "related.user": [ "olabor" @@ -1696,9 +1774,12 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.380", + "related.hosts": [ + "umetMal1664.mail.lan" + ], "related.ip": [ - "10.252.102.110", "10.46.115.216", + "10.252.102.110", "10.12.129.137", "10.184.59.148" ], @@ -1761,11 +1842,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.1729", + "related.hosts": [ + "derit5270.mail.local" + ], "related.ip": [ - "10.105.52.140", - "10.199.194.79", "10.81.184.7", - "10.155.204.243" + "10.199.194.79", + "10.155.204.243", + "10.105.52.140" ], "related.user": [ "eetd" @@ -1826,11 +1910,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.1453", + "related.hosts": [ + "orisni5238.mail.lan" + ], "related.ip": [ - "10.177.238.45", "10.251.231.142", - "10.110.2.166", - "10.18.226.72" + "10.177.238.45", + "10.18.226.72", + "10.110.2.166" ], "related.user": [ "taliqui" @@ -1891,6 +1978,9 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.6332", + "related.hosts": [ + "iutali7297.www.domain" + ], "related.ip": [ "10.99.202.229", "10.100.199.226", @@ -1956,11 +2046,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.6463", + "related.hosts": [ + "orumw5960.www5.home" + ], "related.ip": [ "10.248.111.207", - "10.172.154.97", + "10.162.97.197", "10.37.193.70", - "10.162.97.197" + "10.172.154.97" ], "related.user": [ "culpaq" @@ -2020,11 +2113,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3912", + "related.hosts": [ + "oinv5493.internal.domain" + ], "related.ip": [ "10.171.221.230", "10.222.165.250", - "10.36.63.31", - "10.45.35.180" + "10.45.35.180", + "10.36.63.31" ], "related.user": [ "otamr" @@ -2084,11 +2180,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.4329", + "related.hosts": [ + "tnonproi195.api.home" + ], "related.ip": [ - "10.238.4.219", - "10.83.238.145", + "10.1.171.61", "10.199.127.211", - "10.1.171.61" + "10.83.238.145", + "10.238.4.219" ], "related.user": [ "reetdolo" @@ -2148,11 +2247,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3789", + "related.hosts": [ + "edictasu5362.internal.localhost" + ], "related.ip": [ "10.170.252.219", + "10.65.141.244", "10.74.213.42", - "10.44.226.104", - "10.65.141.244" + "10.44.226.104" ], "related.user": [ "Nequepo" @@ -2212,11 +2314,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2965", + "related.hosts": [ + "uido492.www5.home" + ], "related.ip": [ "10.180.48.221", - "10.225.141.172", + "10.225.255.211", "10.183.223.149", - "10.225.255.211" + "10.225.141.172" ], "related.user": [ "nihil" @@ -2276,11 +2381,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.7612", + "related.hosts": [ + "redo6311.api.invalid" + ], "related.ip": [ "10.176.64.28", "10.97.138.181", - "10.169.123.103", - "10.205.174.181" + "10.205.174.181", + "10.169.123.103" ], "related.user": [ "eseruntm" @@ -2341,11 +2449,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.4226", + "related.hosts": [ + "dolorem1698.www.domain" + ], "related.ip": [ "10.75.120.11", + "10.169.101.161", "10.53.101.131", - "10.204.4.40", - "10.169.101.161" + "10.204.4.40" ], "related.user": [ "tquo" @@ -2406,11 +2517,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2990", + "related.hosts": [ + "evitae7333.www.lan" + ], "related.ip": [ "10.156.117.169", + "10.28.51.219", "10.6.222.112", - "10.87.120.87", - "10.28.51.219" + "10.87.120.87" ], "related.user": [ "onsequu" @@ -2470,11 +2584,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.388", + "related.hosts": [ + "arc2412.mail.lan" + ], "related.ip": [ - "10.4.126.103", - "10.253.167.17", "10.247.44.59", - "10.57.89.155" + "10.57.89.155", + "10.253.167.17", + "10.4.126.103" ], "related.user": [ "ntorever" @@ -2534,11 +2651,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.6451", + "related.hosts": [ + "olorsi2746.internal.localhost" + ], "related.ip": [ - "10.15.240.220", "10.36.69.125", - "10.143.183.208", - "10.248.206.210" + "10.15.240.220", + "10.248.206.210", + "10.143.183.208" ], "related.user": [ "met" @@ -2599,11 +2719,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.4386", + "related.hosts": [ + "edqu2208.www.localhost" + ], "related.ip": [ "10.69.170.107", "10.6.32.7", - "10.142.186.43", - "10.34.133.2" + "10.34.133.2", + "10.142.186.43" ], "related.user": [ "ipitlabo" @@ -2664,11 +2787,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2026", + "related.hosts": [ + "ender5647.www5.example" + ], "related.ip": [ "10.59.103.10", - "10.142.22.24", + "10.170.165.164", "10.121.153.197", - "10.170.165.164" + "10.142.22.24" ], "related.user": [ "borumSec" @@ -2729,6 +2855,9 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.1576", + "related.hosts": [ + "sis3986.internal.lan" + ], "related.ip": [ "10.19.99.129", "10.247.114.30", @@ -2794,11 +2923,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3824", + "related.hosts": [ + "uatu2894.api.lan" + ], "related.ip": [ - "10.64.139.17", "10.70.7.23", + "10.40.177.138", "10.8.29.219", - "10.40.177.138" + "10.64.139.17" ], "related.user": [ "rep" @@ -2858,10 +2990,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.6066", + "related.hosts": [ + "rmagnido5483.local" + ], "related.ip": [ "10.2.189.20", - "10.67.173.228", "10.67.221.220", + "10.67.173.228", "10.180.62.222" ], "related.user": [ @@ -2923,6 +3058,9 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.5040", + "related.hosts": [ + "uian521.www.example" + ], "related.ip": [ "10.147.127.181", "10.209.52.47", @@ -2987,10 +3125,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.7604", + "related.hosts": [ + "taliq5213.api.corp" + ], "related.ip": [ - "10.231.18.90", - "10.248.140.59", "10.226.24.84", + "10.248.140.59", + "10.231.18.90", "10.85.13.237" ], "related.user": [ @@ -3052,11 +3193,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.5407", + "related.hosts": [ + "ntsunt4894.mail.domain" + ], "related.ip": [ - "10.203.46.215", + "10.59.215.207", "10.207.183.204", "10.8.224.72", - "10.59.215.207" + "10.203.46.215" ], "related.user": [ "eruntmo" @@ -3117,11 +3261,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.6814", + "related.hosts": [ + "mexer3864.api.corp" + ], "related.ip": [ + "10.98.154.146", "10.73.84.95", "10.230.38.148", - "10.255.145.22", - "10.98.154.146" + "10.255.145.22" ], "related.user": [ "sitam" @@ -3181,11 +3328,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.7160", + "related.hosts": [ + "oluptat6960.www5.test" + ], "related.ip": [ - "10.105.120.162", "10.166.142.198", - "10.211.29.187", - "10.175.181.138" + "10.105.120.162", + "10.175.181.138", + "10.211.29.187" ], "related.user": [ "tium" @@ -3246,11 +3396,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.6057", + "related.hosts": [ + "fugiatnu2498.www.localhost" + ], "related.ip": [ - "10.220.202.102", "10.182.213.195", "10.195.139.25", - "10.122.133.162" + "10.122.133.162", + "10.220.202.102" ], "related.user": [ "aquae" @@ -3311,11 +3464,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3297", + "related.hosts": [ + "ptat3230.domain" + ], "related.ip": [ - "10.156.208.5", - "10.53.72.161", + "10.33.143.163", "10.247.144.9", - "10.33.143.163" + "10.156.208.5", + "10.53.72.161" ], "related.user": [ "scip" @@ -3375,11 +3531,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2476", + "related.hosts": [ + "exer447.internal.localhost" + ], "related.ip": [ + "10.241.143.145", "10.35.190.164", "10.21.58.162", - "10.113.65.192", - "10.241.143.145" + "10.113.65.192" ], "related.user": [ "porin" @@ -3440,11 +3599,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.768", + "related.hosts": [ + "itanimi1934.home" + ], "related.ip": [ - "10.19.154.103", - "10.53.27.253", + "10.129.16.166", "10.75.113.240", - "10.129.16.166" + "10.19.154.103", + "10.53.27.253" ], "related.user": [ "luptat" @@ -3505,6 +3667,9 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.5812", + "related.hosts": [ + "pteurs1031.mail.corp" + ], "related.ip": [ "10.150.153.61", "10.22.213.196", @@ -3570,10 +3735,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.7232", + "related.hosts": [ + "edquiaco6562.api.lan" + ], "related.ip": [ "10.85.52.249", - "10.238.171.184", "10.229.155.171", + "10.238.171.184", "10.113.2.13" ], "related.user": [ @@ -3635,11 +3803,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.536", + "related.hosts": [ + "tatis7315.mail.home" + ], "related.ip": [ "10.249.174.35", - "10.198.150.185", "10.51.245.225", - "10.220.1.249" + "10.220.1.249", + "10.198.150.185" ], "related.user": [ "quela" @@ -3700,10 +3871,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.219", + "related.hosts": [ + "eosqui3723.api.localdomain" + ], "related.ip": [ - "10.190.96.181", "10.38.185.31", "10.251.82.195", + "10.190.96.181", "10.152.157.32" ], "related.user": [ @@ -3764,11 +3938,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.6526", + "related.hosts": [ + "itaedict199.mail.corp" + ], "related.ip": [ - "10.190.247.194", "10.103.102.242", - "10.211.198.50", - "10.230.112.179" + "10.190.247.194", + "10.230.112.179", + "10.211.198.50" ], "related.user": [ "tDuisaut" @@ -3828,11 +4005,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.7750", + "related.hosts": [ + "xeaco7887.www.localdomain" + ], "related.ip": [ "10.219.83.199", "10.47.223.155", - "10.251.101.61", - "10.101.13.122" + "10.101.13.122", + "10.251.101.61" ], "related.user": [ "ectetur" @@ -3893,11 +4073,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.5568", + "related.hosts": [ + "saute7421.www.invalid" + ], "related.ip": [ + "10.31.86.83", "10.21.30.43", - "10.83.136.233", "10.21.80.157", - "10.31.86.83" + "10.83.136.233" ], "related.user": [ "litsed" @@ -3958,11 +4141,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.5445", + "related.hosts": [ + "oluptas1637.home" + ], "related.ip": [ - "10.195.90.73", + "10.27.181.27", "10.45.152.205", "10.194.197.107", - "10.27.181.27" + "10.195.90.73" ], "related.user": [ "datatn" @@ -4023,11 +4209,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.508", + "related.hosts": [ + "ididu5505.api.localdomain" + ], "related.ip": [ "10.222.2.132", + "10.183.90.25", "10.43.239.97", - "10.129.161.18", - "10.183.90.25" + "10.129.161.18" ], "related.user": [ "aedicta" @@ -4087,11 +4276,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.4479", + "related.hosts": [ + "mqui1099.api.corp" + ], "related.ip": [ + "10.67.129.100", "10.231.167.171", - "10.248.156.138", "10.189.162.131", - "10.67.129.100" + "10.248.156.138" ], "related.user": [ "sedquia" @@ -4152,11 +4344,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2927", + "related.hosts": [ + "siuta2155.lan" + ], "related.ip": [ - "10.63.103.30", - "10.142.106.66", "10.6.146.184", - "10.185.107.27" + "10.185.107.27", + "10.63.103.30", + "10.142.106.66" ], "related.user": [ "sequu" @@ -4216,11 +4411,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.4023", + "related.hosts": [ + "tatiset4191.localdomain" + ], "related.ip": [ "10.93.39.237", "10.119.179.182", - "10.214.93.200", - "10.0.202.9" + "10.0.202.9", + "10.214.93.200" ], "related.user": [ "tionofd" @@ -4281,9 +4479,12 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.5939", + "related.hosts": [ + "aute2433.mail.lan" + ], "related.ip": [ - "10.252.204.162", "10.28.145.163", + "10.252.204.162", "10.123.154.140", "10.30.189.166" ], @@ -4345,10 +4546,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.6564", + "related.hosts": [ + "idolo6535.internal.example" + ], "related.ip": [ + "10.145.128.250", "10.79.49.3", "10.46.162.198", - "10.145.128.250", "10.29.122.183" ], "related.user": [ @@ -4410,10 +4614,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3341", + "related.hosts": [ + "one7728.api.localdomain" + ], "related.ip": [ + "10.166.169.167", "10.65.174.196", "10.177.232.136", - "10.166.169.167", "10.142.235.217" ], "related.user": [ @@ -4475,10 +4682,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.325", + "related.hosts": [ + "uptatem4446.internal.localhost" + ], "related.ip": [ "10.29.217.44", - "10.191.78.86", "10.215.184.154", + "10.191.78.86", "10.53.188.140" ], "related.user": [ @@ -4540,11 +4750,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3567", + "related.hosts": [ + "emq2514.api.localhost" + ], "related.ip": [ "10.135.77.156", - "10.74.74.129", + "10.46.222.149", "10.76.148.147", - "10.46.222.149" + "10.74.74.129" ], "related.user": [ "urve" @@ -4604,11 +4817,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.1186", + "related.hosts": [ + "agna5654.www.corp" + ], "related.ip": [ - "10.130.203.37", "10.145.49.29", + "10.96.200.223", "10.11.146.253", - "10.96.200.223" + "10.130.203.37" ], "related.user": [ "mvele" @@ -4668,10 +4884,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.6845", + "related.hosts": [ + "ipi4827.mail.lan" + ], "related.ip": [ - "10.48.75.140", - "10.162.78.48", "10.24.23.209", + "10.162.78.48", + "10.48.75.140", "10.162.2.180" ], "related.user": [ @@ -4732,9 +4951,12 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.419", + "related.hosts": [ + "sequatD163.internal.example" + ], "related.ip": [ - "10.66.92.83", "10.151.206.38", + "10.66.92.83", "10.119.12.186", "10.97.105.115" ], @@ -4796,11 +5018,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.7551", + "related.hosts": [ + "itamet1303.invalid" + ], "related.ip": [ - "10.12.148.73", - "10.201.132.114", + "10.64.76.142", "10.169.139.250", - "10.64.76.142" + "10.12.148.73", + "10.201.132.114" ], "related.user": [ "borisnis" @@ -4861,10 +5086,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.5292", + "related.hosts": [ + "epr3512.internal.domain" + ], "related.ip": [ - "10.35.38.185", - "10.9.236.18", "10.111.128.11", + "10.9.236.18", + "10.35.38.185", "10.200.116.191" ], "related.user": [ @@ -4925,11 +5153,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.5991", + "related.hosts": [ + "uredol2174.home" + ], "related.ip": [ - "10.236.67.227", "10.134.238.8", - "10.240.62.238", - "10.191.27.182" + "10.191.27.182", + "10.236.67.227", + "10.240.62.238" ], "related.user": [ "tlabo" @@ -4989,11 +5220,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.6837", + "related.hosts": [ + "ididunt7607.mail.localhost" + ], "related.ip": [ "10.109.14.142", + "10.22.231.91", "10.65.35.64", - "10.165.66.92", - "10.22.231.91" + "10.165.66.92" ], "related.user": [ "perna" @@ -5053,11 +5287,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.99", + "related.hosts": [ + "inimav5557.www5.test" + ], "related.ip": [ - "10.29.230.203", - "10.89.221.90", + "10.64.161.215", "10.71.112.86", - "10.64.161.215" + "10.89.221.90", + "10.29.230.203" ], "related.user": [ "rnatur" @@ -5117,11 +5354,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.5232", + "related.hosts": [ + "nonn1650.www.test" + ], "related.ip": [ - "10.140.118.182", - "10.88.226.76", "10.221.199.137", - "10.79.208.135" + "10.88.226.76", + "10.79.208.135", + "10.140.118.182" ], "related.user": [ "erspic" @@ -5182,11 +5422,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2492", + "related.hosts": [ + "acons3940.api.lan" + ], "related.ip": [ - "10.133.48.55", - "10.126.61.230", "10.35.73.208", - "10.189.244.22" + "10.126.61.230", + "10.189.244.22", + "10.133.48.55" ], "related.user": [ "tia" @@ -5246,10 +5489,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.4044", + "related.hosts": [ + "suscipit587.www.localhost" + ], "related.ip": [ - "10.81.154.115", "10.240.94.109", "10.239.194.105", + "10.81.154.115", "10.35.65.72" ], "related.user": [ @@ -5311,11 +5557,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2307", + "related.hosts": [ + "mnisiut6146.internal.local" + ], "related.ip": [ "10.150.56.227", - "10.38.253.213", + "10.52.70.192", "10.248.72.104", - "10.52.70.192" + "10.38.253.213" ], "related.user": [ "ionem" @@ -5376,10 +5625,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2031", + "related.hosts": [ + "borios1067.www5.home" + ], "related.ip": [ - "10.73.172.186", "10.218.15.164", "10.62.218.239", + "10.73.172.186", "10.203.193.134" ], "related.user": [ @@ -5440,11 +5692,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2555", + "related.hosts": [ + "msequ323.www.example" + ], "related.ip": [ - "10.60.20.76", "10.10.46.43", - "10.136.211.234", - "10.131.127.113" + "10.131.127.113", + "10.60.20.76", + "10.136.211.234" ], "related.user": [ "nev" @@ -5505,11 +5760,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3291", + "related.hosts": [ + "tdolorem813.internal.host" + ], "related.ip": [ - "10.233.181.250", "10.248.0.74", - "10.50.177.151", - "10.187.237.220" + "10.233.181.250", + "10.187.237.220", + "10.50.177.151" ], "related.user": [ "ugiatq" @@ -5570,11 +5828,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2859", + "related.hosts": [ + "volupt4626.internal.test" + ], "related.ip": [ - "10.248.248.120", "10.96.223.46", + "10.80.129.81", "10.189.43.11", - "10.80.129.81" + "10.248.248.120" ], "related.user": [ "iatn" @@ -5635,10 +5896,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.1910", + "related.hosts": [ + "ntium5103.www5.localhost" + ], "related.ip": [ - "10.173.114.63", - "10.102.109.199", "10.91.115.139", + "10.102.109.199", + "10.173.114.63", "10.66.106.186" ], "related.user": [ @@ -5700,10 +5964,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3690", + "related.hosts": [ + "orpori3334.www.local" + ], "related.ip": [ - "10.159.155.88", "10.0.175.17", "10.198.157.122", + "10.159.155.88", "10.221.223.127" ], "related.user": [ @@ -5764,6 +6031,9 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.6302", + "related.hosts": [ + "equu7361.www5.localdomain" + ], "related.ip": [ "10.252.136.130", "10.189.70.237", @@ -5829,11 +6099,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2037", + "related.hosts": [ + "tse2979.internal.localhost" + ], "related.ip": [ - "10.102.109.194", "10.60.224.93", "10.242.121.165", - "10.83.105.69" + "10.83.105.69", + "10.102.109.194" ], "related.user": [ "mni" @@ -5894,10 +6167,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.7314", + "related.hosts": [ + "uisnostr2390.mail.domain" + ], "related.ip": [ - "10.251.167.219", "10.219.174.45", "10.181.134.69", + "10.251.167.219", "10.17.20.93" ], "related.user": [ @@ -5959,11 +6235,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.596", + "related.hosts": [ + "luptate4811.mail.example" + ], "related.ip": [ - "10.30.117.82", "10.28.233.253", - "10.223.99.90", - "10.37.14.20" + "10.37.14.20", + "10.30.117.82", + "10.223.99.90" ], "related.user": [ "numqua" @@ -6024,11 +6303,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.95", + "related.hosts": [ + "lites1614.www.corp" + ], "related.ip": [ - "10.50.61.114", - "10.125.20.22", "10.57.85.113", - "10.8.32.17" + "10.8.32.17", + "10.50.61.114", + "10.125.20.22" ], "related.user": [ "qua" @@ -6089,10 +6371,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.3064", + "related.hosts": [ + "lorinrep7686.mail.corp" + ], "related.ip": [ - "10.113.78.101", "10.200.28.55", "10.215.224.27", + "10.113.78.101", "10.181.63.82" ], "related.user": [ @@ -6154,10 +6439,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.4522", + "related.hosts": [ + "nderit6272.mail.example" + ], "related.ip": [ - "10.139.20.223", - "10.177.14.106", "10.243.43.168", + "10.177.14.106", + "10.139.20.223", "10.169.95.128" ], "related.user": [ @@ -6219,11 +6507,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.7456", + "related.hosts": [ + "ntu1279.mail.lan" + ], "related.ip": [ "10.92.168.198", "10.90.93.4", - "10.18.176.44", - "10.39.100.88" + "10.39.100.88", + "10.18.176.44" ], "related.user": [ "adminima" @@ -6284,10 +6575,13 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.2909", + "related.hosts": [ + "essequam1161.domain" + ], "related.ip": [ - "10.49.68.8", "10.163.203.191", "10.193.43.135", + "10.49.68.8", "10.173.13.179" ], "related.user": [ @@ -6348,11 +6642,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.7726", + "related.hosts": [ + "cipitl2184.localdomain" + ], "related.ip": [ - "10.31.147.51", - "10.84.64.28", "10.240.47.113", - "10.209.226.7" + "10.209.226.7", + "10.31.147.51", + "10.84.64.28" ], "related.user": [ "ull" @@ -6413,11 +6710,14 @@ "observer.type": "Firewall", "observer.vendor": "F5", "observer.version": "1.292", + "related.hosts": [ + "item3647.home" + ], "related.ip": [ - "10.32.20.4", + "10.225.189.229", "10.86.1.244", "10.52.13.192", - "10.225.189.229" + "10.32.20.4" ], "related.user": [ "odtemp" diff --git a/x-pack/filebeat/module/f5/bigipapm/config/input.yml b/x-pack/filebeat/module/f5/bigipapm/config/input.yml index 2cfda9d24b5..72e7af4e030 100644 --- a/x-pack/filebeat/module/f5/bigipapm/config/input.yml +++ b/x-pack/filebeat/module/f5/bigipapm/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml b/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml index e8059307928..d9d450d215d 100644 --- a/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml +++ b/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml @@ -53,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{rsa.web.fqdn}}' + allow_duplicates: false + if: ctx?.rsa?.web?.fqdn != null on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json index b3f74874b99..fe5ce75e182 100644 --- a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json @@ -42,6 +42,9 @@ "observer.type": "Access", "observer.vendor": "F5", "process.pid": 6153, + "related.hosts": [ + "sist1803.mail.local" + ], "rsa.internal.messageid": "01490504", "rsa.misc.log_session_id": "deF", "rsa.misc.severity": "medium", @@ -809,6 +812,9 @@ "observer.type": "Access", "observer.vendor": "F5", "process.pid": 7589, + "related.hosts": [ + "dolores2519.mail.host" + ], "related.user": [ "tob" ], @@ -839,6 +845,9 @@ "observer.type": "Access", "observer.vendor": "F5", "process.pid": 5899, + "related.hosts": [ + "luptat2979.internal.local" + ], "related.user": [ "iqua" ], @@ -974,8 +983,8 @@ "observer.vendor": "F5", "process.pid": 4318, "related.ip": [ - "10.122.204.151", - "10.169.101.161" + "10.169.101.161", + "10.122.204.151" ], "rsa.internal.messageid": "01490500", "rsa.misc.log_session_id": "snulap", @@ -1556,8 +1565,8 @@ "observer.vendor": "F5", "process.pid": 1973, "related.ip": [ - "10.187.64.126", - "10.47.99.72" + "10.47.99.72", + "10.187.64.126" ], "rsa.internal.messageid": "01490500", "rsa.misc.category": "oremipsu", diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml b/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml index 2792f46aafd..40b42e4e527 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml +++ b/x-pack/filebeat/module/fortinet/clientendpoint/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml index 36997bc4379..e8deb2d54d3 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml +++ b/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml @@ -53,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null + - append: + field: related.hosts + value: '{{server.domain}}' + allow_duplicates: false + if: ctx?.server?.domain != null on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json index 3b9dc0716ec..69eab97fe35 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json @@ -20,6 +20,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 7880, + "related.hosts": [ + "boNemoe4402.www.invalid", + "litesse6379.api.domain" + ], "related.ip": [ "10.150.92.220", "10.102.123.34" @@ -75,9 +79,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4539, + "related.hosts": [ + "olupt4880.api.home", + "gnaali6189.internal.localhost" + ], "related.ip": [ - "10.149.203.46", - "10.33.212.159" + "10.33.212.159", + "10.149.203.46" ], "related.user": [ "mipsumq" @@ -130,6 +138,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 445, + "related.hosts": [ + "aqu1628.internal.domain", + "quis1130.internal.corp" + ], "related.ip": [ "10.118.175.9", "10.173.116.41" @@ -185,9 +197,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5712, + "related.hosts": [ + "tinculp2940.internal.local", + "reprehe189.internal.home" + ], "related.ip": [ - "10.202.204.154", - "10.134.137.177" + "10.134.137.177", + "10.202.204.154" ], "related.user": [ "orsitame" @@ -240,9 +256,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6557, + "related.hosts": [ + "rad2103.api.domain", + "enimad2283.internal.domain" + ], "related.ip": [ - "10.70.0.60", - "10.245.142.250" + "10.245.142.250", + "10.70.0.60" ], "related.user": [ "eos" @@ -295,9 +315,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2061, + "related.hosts": [ + "enim5316.www5.local", + "doloreeu3553.www5.home" + ], "related.ip": [ - "10.202.72.124", - "10.200.188.142" + "10.200.188.142", + "10.202.72.124" ], "related.user": [ "iusmodt" @@ -350,9 +374,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5722, + "related.hosts": [ + "reetdolo2770.www5.local", + "iutal13.api.localdomain" + ], "related.ip": [ - "10.214.225.125", - "10.12.44.169" + "10.12.44.169", + "10.214.225.125" ], "related.user": [ "erep" @@ -405,6 +433,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5037, + "related.hosts": [ + "isiu1114.internal.corp", + "uovol492.www.localhost" + ], "related.ip": [ "10.198.136.50", "10.66.108.11" @@ -460,6 +492,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 776, + "related.hosts": [ + "usmodte1296.www.corp", + "osquir6997.corp" + ], "related.ip": [ "10.69.20.77", "10.178.244.31" @@ -515,6 +551,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6096, + "related.hosts": [ + "tatno4987.www5.localhost", + "eniam7007.api.invalid" + ], "related.ip": [ "10.54.231.100", "10.203.5.162" @@ -570,9 +610,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 7307, + "related.hosts": [ + "tatno6787.internal.localhost", + "snulapar3794.api.domain" + ], "related.ip": [ - "10.136.252.240", - "10.65.83.160" + "10.65.83.160", + "10.136.252.240" ], "related.user": [ "ender" @@ -625,6 +669,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2703, + "related.hosts": [ + "essecill2595.mail.local", + "liq5883.localdomain" + ], "related.ip": [ "10.210.213.18", "10.57.40.29" @@ -680,6 +728,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5166, + "related.hosts": [ + "ali6446.localhost", + "rsint7026.test" + ], "related.ip": [ "10.144.82.69", "10.200.156.102" @@ -735,6 +787,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 7668, + "related.hosts": [ + "torev7118.internal.domain", + "qua2945.www.local" + ], "related.ip": [ "10.109.232.112", "10.72.58.135" @@ -790,9 +846,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1044, + "related.hosts": [ + "dolore6103.www5.example", + "luptat6494.www.example" + ], "related.ip": [ - "10.38.22.45", - "10.72.29.73" + "10.72.29.73", + "10.38.22.45" ], "related.user": [ "onproide" @@ -845,6 +905,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 7183, + "related.hosts": [ + "errorsi6996.www.domain", + "moenimi6317.internal.invalid" + ], "related.ip": [ "10.70.95.74", "10.76.72.111" @@ -900,6 +964,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6907, + "related.hosts": [ + "lumquido5839.api.corp", + "tion1761.home" + ], "related.ip": [ "10.73.69.75", "10.19.201.13" @@ -955,6 +1023,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 499, + "related.hosts": [ + "aperia4409.www5.invalid", + "santium4235.api.local" + ], "related.ip": [ "10.84.105.75", "10.78.151.178" @@ -1010,6 +1082,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1531, + "related.hosts": [ + "tem2496.api.lan", + "CSed2857.www5.example" + ], "related.ip": [ "10.25.192.202", "10.135.233.146" @@ -1065,9 +1141,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6051, + "related.hosts": [ + "eme6710.mail.invalid", + "equep5085.mail.domain" + ], "related.ip": [ - "10.121.219.204", - "10.104.134.200" + "10.104.134.200", + "10.121.219.204" ], "related.user": [ "uptat" @@ -1120,9 +1200,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6994, + "related.hosts": [ + "ihilm1669.mail.invalid", + "conseq557.mail.lan" + ], "related.ip": [ - "10.191.105.82", - "10.225.160.182" + "10.225.160.182", + "10.191.105.82" ], "related.user": [ "eirure" @@ -1175,6 +1259,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5200, + "related.hosts": [ + "umexerci1284.internal.localdomain", + "ite2026.www.invalid" + ], "related.ip": [ "10.141.44.153", "10.161.57.8" @@ -1230,6 +1318,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3365, + "related.hosts": [ + "adol485.example", + "lit5929.test" + ], "related.ip": [ "10.153.111.103", "10.6.167.7" @@ -1285,6 +1377,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1835, + "related.hosts": [ + "evita5008.www.localdomain", + "oru6938.invalid" + ], "related.ip": [ "10.248.204.182", "10.134.148.219" @@ -1340,6 +1436,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2019, + "related.hosts": [ + "tsedqu2456.www5.invalid", + "etdol5473.local" + ], "related.ip": [ "10.163.5.243", "10.178.77.231" @@ -1395,9 +1495,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2493, + "related.hosts": [ + "ris3314.mail.invalid", + "nimid893.mail.corp" + ], "related.ip": [ - "10.177.194.18", - "10.221.89.228" + "10.221.89.228", + "10.177.194.18" ], "related.user": [ "aliquam" @@ -1450,6 +1554,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3022, + "related.hosts": [ + "reme622.mail.example", + "rumwritt6003.host" + ], "related.ip": [ "10.32.239.1", "10.241.65.49" @@ -1505,9 +1613,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2328, + "related.hosts": [ + "non3341.mail.invalid", + "xeacomm6855.api.corp" + ], "related.ip": [ - "10.101.57.120", - "10.168.90.81" + "10.168.90.81", + "10.101.57.120" ], "related.user": [ "eporr" @@ -1560,6 +1672,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1156, + "related.hosts": [ + "ris727.api.local", + "icabo4125.mail.domain" + ], "related.ip": [ "10.130.14.60", "10.14.211.43" @@ -1615,9 +1731,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6003, + "related.hosts": [ + "stquido5705.api.host", + "ionofdeF5643.www.localhost" + ], "related.ip": [ - "10.248.101.25", - "10.60.129.15" + "10.60.129.15", + "10.248.101.25" ], "related.user": [ "evolup" @@ -1670,9 +1790,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5651, + "related.hosts": [ + "etcons7378.api.lan", + "orem6702.invalid" + ], "related.ip": [ - "10.72.93.28", - "10.111.187.12" + "10.111.187.12", + "10.72.93.28" ], "related.user": [ "niamqui" @@ -1725,6 +1849,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3470, + "related.hosts": [ + "vita2681.www5.local", + "oin6780.mail.domain" + ], "related.ip": [ "10.27.14.168", "10.66.2.232" @@ -1780,6 +1908,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6932, + "related.hosts": [ + "tnulapa7592.www.local", + "eprehen3224.www5.localdomain" + ], "related.ip": [ "10.195.2.130", "10.75.99.127" @@ -1835,6 +1967,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6945, + "related.hosts": [ + "lup2134.www.localhost", + "ptasn6599.www.localhost" + ], "related.ip": [ "10.201.238.90", "10.245.104.182" @@ -1890,9 +2026,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 853, + "related.hosts": [ + "tanimid3337.mail.corp", + "nisist2752.home" + ], "related.ip": [ - "10.105.91.31", - "10.217.150.196" + "10.217.150.196", + "10.105.91.31" ], "related.user": [ "con" @@ -1945,9 +2085,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4153, + "related.hosts": [ + "eumiu765.api.lan", + "gitsedqu2649.mail.lan" + ], "related.ip": [ - "10.4.157.1", - "10.184.18.202" + "10.184.18.202", + "10.4.157.1" ], "related.user": [ "oditem" @@ -2000,9 +2144,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1693, + "related.hosts": [ + "mquelau5326.mail.lan", + "entsunt3962.www.example" + ], "related.ip": [ - "10.255.39.252", - "10.113.95.59" + "10.113.95.59", + "10.255.39.252" ], "related.user": [ "persp" @@ -2055,9 +2203,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 337, + "related.hosts": [ + "idestlab2631.www.lan", + "tut2703.www.host" + ], "related.ip": [ - "10.83.177.2", - "10.27.16.118" + "10.27.16.118", + "10.83.177.2" ], "related.user": [ "borios" @@ -2110,6 +2262,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 7041, + "related.hosts": [ + "inesci6789.test", + "entorev160.test" + ], "related.ip": [ "10.167.227.44", "10.38.54.72" @@ -2165,6 +2321,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3854, + "related.hosts": [ + "ccaeca7077.internal.corp", + "proide3714.mail.localdomain" + ], "related.ip": [ "10.215.205.216", "10.216.54.184" @@ -2220,6 +2380,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 55, + "related.hosts": [ + "ima2031.api.corp", + "tot5313.mail.invalid" + ], "related.ip": [ "10.9.18.237", "10.9.12.248" @@ -2275,9 +2439,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 228, + "related.hosts": [ + "ian867.internal.corp", + "rumet3801.internal.domain" + ], "related.ip": [ - "10.83.130.226", - "10.41.123.102" + "10.41.123.102", + "10.83.130.226" ], "related.user": [ "tenim" @@ -2330,9 +2498,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4253, + "related.hosts": [ + "lorin4249.corp", + "liqua2834.www5.lan" + ], "related.ip": [ - "10.80.152.108", - "10.175.112.197" + "10.175.112.197", + "10.80.152.108" ], "related.user": [ "tametcon" @@ -2385,6 +2557,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2200, + "related.hosts": [ + "gnaaliqu3935.api.test", + "sequat7273.api.host" + ], "related.ip": [ "10.134.18.114", "10.142.25.100" @@ -2440,6 +2616,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5717, + "related.hosts": [ + "nsequat1859.internal.localhost", + "uidol4575.localhost" + ], "related.ip": [ "10.28.118.160", "10.223.119.218" @@ -2495,6 +2675,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4469, + "related.hosts": [ + "ritin2495.api.corp", + "oremq2000.api.corp" + ], "related.ip": [ "10.47.28.48", "10.110.114.175" @@ -2550,6 +2734,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5524, + "related.hosts": [ + "tetur2694.mail.local", + "oremi1485.api.localhost" + ], "related.ip": [ "10.40.251.202", "10.90.33.138" @@ -2605,9 +2793,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3624, + "related.hosts": [ + "rem7043.localhost", + "sequatD5469.www5.lan" + ], "related.ip": [ - "10.227.173.252", - "10.65.2.106" + "10.65.2.106", + "10.227.173.252" ], "related.user": [ "itation" @@ -2660,6 +2852,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1609, + "related.hosts": [ + "emqu2846.internal.home", + "item2738.test" + ], "related.ip": [ "10.28.84.106", "10.193.233.229" @@ -2715,9 +2911,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6248, + "related.hosts": [ + "dqu6144.api.localhost", + "iosamnis1047.internal.localdomain" + ], "related.ip": [ - "10.150.245.88", - "10.210.89.183" + "10.210.89.183", + "10.150.245.88" ], "related.user": [ "sequa" @@ -2770,6 +2970,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 7224, + "related.hosts": [ + "giatquov1918.internal.example", + "orroq6677.internal.example" + ], "related.ip": [ "10.85.185.13", "10.180.195.43" @@ -2825,6 +3029,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 430, + "related.hosts": [ + "estl5804.internal.local", + "onevo4326.internal.local" + ], "related.ip": [ "10.210.28.247", "10.207.211.230" @@ -2880,9 +3088,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3589, + "related.hosts": [ + "Sedut1775.www.domain", + "itaedict7233.mail.localdomain" + ], "related.ip": [ - "10.248.165.185", - "10.86.11.48" + "10.86.11.48", + "10.248.165.185" ], "related.user": [ "dquiac" @@ -2935,9 +3147,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4814, + "related.hosts": [ + "mac7484.www5.test", + "numquam5869.internal.example" + ], "related.ip": [ - "10.47.125.38", - "10.118.6.177" + "10.118.6.177", + "10.47.125.38" ], "related.user": [ "quunt" @@ -2990,6 +3206,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 276, + "related.hosts": [ + "oin1140.mail.localhost", + "onu6137.api.home" + ], "related.ip": [ "10.60.142.127", "10.50.233.155" @@ -3045,6 +3265,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2452, + "related.hosts": [ + "naaliq3710.api.local", + "aecatcup2241.www5.test" + ], "related.ip": [ "10.28.82.189", "10.120.10.211" @@ -3100,6 +3324,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3453, + "related.hosts": [ + "volupta3552.internal.localhost", + "labor6360.mail.local" + ], "related.ip": [ "10.31.237.225", "10.6.38.163" @@ -3155,9 +3383,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2302, + "related.hosts": [ + "onse380.internal.localdomain", + "mveleum4322.www5.host" + ], "related.ip": [ - "10.125.165.144", - "10.226.5.189" + "10.226.5.189", + "10.125.165.144" ], "related.user": [ "mvolu" @@ -3210,6 +3442,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 7079, + "related.hosts": [ + "queips4947.mail.example", + "archite1843.mail.home" + ], "related.ip": [ "10.46.56.204", "10.97.149.97" @@ -3265,9 +3501,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5773, + "related.hosts": [ + "oloreseo5039.test", + "itanim4024.api.example" + ], "related.ip": [ - "10.218.0.197", - "10.28.105.124" + "10.28.105.124", + "10.218.0.197" ], "related.user": [ "ntNe" @@ -3320,6 +3560,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1586, + "related.hosts": [ + "minim459.mail.local", + "nreprehe715.api.home" + ], "related.ip": [ "10.17.87.79", "10.123.199.198" @@ -3375,9 +3619,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5137, + "related.hosts": [ + "eratv211.api.host", + "unte893.internal.host" + ], "related.ip": [ - "10.115.68.40", - "10.38.86.177" + "10.38.86.177", + "10.115.68.40" ], "related.user": [ "mpo" @@ -3430,9 +3678,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5704, + "related.hosts": [ + "aparia1179.www.localdomain", + "aspe951.mail.domain" + ], "related.ip": [ - "10.193.118.163", - "10.115.174.107" + "10.115.174.107", + "10.193.118.163" ], "related.user": [ "exeacomm" @@ -3485,6 +3737,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2310, + "related.hosts": [ + "iatqu6203.mail.corp", + "dipiscin4957.www.home" + ], "related.ip": [ "10.77.77.208", "10.37.128.49" @@ -3540,6 +3796,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5398, + "related.hosts": [ + "ptasnula6576.api.invalid", + "econs2687.internal.localdomain" + ], "related.ip": [ "10.54.73.158", "10.1.96.93" @@ -3595,6 +3855,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2465, + "related.hosts": [ + "mag1506.internal.domain", + "tiumto5834.api.lan" + ], "related.ip": [ "10.182.152.242", "10.131.126.109" @@ -3650,6 +3914,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6064, + "related.hosts": [ + "fugits1163.host", + "iutal6032.www.test" + ], "related.ip": [ "10.181.247.224", "10.77.229.168" @@ -3705,9 +3973,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2861, + "related.hosts": [ + "gitse2463.www5.invalid", + "inculp2078.host" + ], "related.ip": [ - "10.72.162.6", - "10.235.116.121" + "10.235.116.121", + "10.72.162.6" ], "related.user": [ "oinv" @@ -3760,9 +4032,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3559, + "related.hosts": [ + "temse6953.www.example", + "mexerc2757.internal.home" + ], "related.ip": [ - "10.149.193.117", - "10.28.124.236" + "10.28.124.236", + "10.149.193.117" ], "related.user": [ "mullam" @@ -3815,6 +4091,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1710, + "related.hosts": [ + "deriti6952.mail.domain", + "squira4455.api.domain" + ], "related.ip": [ "10.196.96.162", "10.34.131.224" @@ -3870,6 +4150,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4984, + "related.hosts": [ + "abor1370.www.domain", + "emveleum3661.localhost" + ], "related.ip": [ "10.97.236.123", "10.77.78.180" @@ -3925,9 +4209,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3421, + "related.hosts": [ + "emullamc5418.mail.test", + "sedquiac6517.internal.localhost" + ], "related.ip": [ - "10.45.54.107", - "10.82.133.66" + "10.82.133.66", + "10.45.54.107" ], "related.user": [ "olorem" @@ -3980,6 +4268,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4020, + "related.hosts": [ + "squirati7050.www5.lan", + "veniam3148.www5.home" + ], "related.ip": [ "10.170.252.219", "10.180.180.230" @@ -4035,9 +4327,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 617, + "related.hosts": [ + "venia2079.mail.example", + "unt3559.www.home" + ], "related.ip": [ - "10.65.144.51", - "10.5.11.205" + "10.5.11.205", + "10.65.144.51" ], "related.user": [ "uptat" @@ -4090,6 +4386,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 487, + "related.hosts": [ + "snostrum3450.www5.localhost", + "rere5274.mail.domain" + ], "related.ip": [ "10.76.122.196", "10.195.223.82" @@ -4145,6 +4445,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2442, + "related.hosts": [ + "gelitsed3249.corp", + "uaeabi3728.www5.invalid" + ], "related.ip": [ "10.225.255.211", "10.138.210.116" @@ -4200,6 +4504,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6311, + "related.hosts": [ + "dolor7082.internal.localhost", + "uamqu2804.test" + ], "related.ip": [ "10.250.81.189", "10.219.1.151" @@ -4255,6 +4563,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 7128, + "related.hosts": [ + "totam6886.api.localhost", + "olor5201.host" + ], "related.ip": [ "10.54.23.133", "10.76.125.70" @@ -4310,9 +4622,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2780, + "related.hosts": [ + "laborum5749.www.example", + "eufug3348.www.lan" + ], "related.ip": [ - "10.36.110.69", - "10.189.42.62" + "10.189.42.62", + "10.36.110.69" ], "related.user": [ "eque" @@ -4365,6 +4681,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3284, + "related.hosts": [ + "lup3313.api.home", + "stquidol239.www5.invalid" + ], "related.ip": [ "10.47.179.68", "10.183.202.82" @@ -4420,6 +4740,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2314, + "related.hosts": [ + "edq5397.www.test", + "gia6531.mail.invalid" + ], "related.ip": [ "10.73.28.165", "10.221.206.74" @@ -4475,9 +4799,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5284, + "related.hosts": [ + "udan6536.www5.test", + "lamcola4879.www5.localdomain" + ], "related.ip": [ - "10.85.104.146", - "10.14.204.36" + "10.14.204.36", + "10.85.104.146" ], "related.user": [ "emp" @@ -4530,6 +4858,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3990, + "related.hosts": [ + "rumet6923.www5.lan", + "edquian330.mail.local" + ], "related.ip": [ "10.208.18.210", "10.30.246.132" @@ -4585,6 +4917,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4337, + "related.hosts": [ + "itse522.internal.localdomain", + "santi837.api.domain" + ], "related.ip": [ "10.19.119.17", "10.106.249.91" @@ -4640,9 +4976,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5275, + "related.hosts": [ + "amc3059.local", + "lpaquiof804.internal.invalid" + ], "related.ip": [ - "10.181.41.154", - "10.29.109.126" + "10.29.109.126", + "10.181.41.154" ], "related.user": [ "labo" @@ -4695,6 +5035,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2286, + "related.hosts": [ + "enbyCi3813.api.domain", + "nonn4478.host" + ], "related.ip": [ "10.164.207.42", "10.164.120.197" @@ -4750,6 +5094,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2990, + "related.hosts": [ + "liquipex1155.mail.corp", + "amquaer3985.www5.example" + ], "related.ip": [ "10.183.189.133", "10.154.191.225" @@ -4805,9 +5153,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 226, + "related.hosts": [ + "isn3991.local", + "orem6317.local" + ], "related.ip": [ - "10.29.120.226", - "10.103.189.199" + "10.103.189.199", + "10.29.120.226" ], "related.user": [ "emu" @@ -4860,9 +5212,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4691, + "related.hosts": [ + "iumtotam1010.www5.corp", + "velill3230.www.corp" + ], "related.ip": [ - "10.210.153.7", - "10.133.254.23" + "10.133.254.23", + "10.210.153.7" ], "related.user": [ "voluptas" @@ -4915,9 +5271,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5647, + "related.hosts": [ + "onsecte91.www5.localdomain", + "orumS757.www5.corp" + ], "related.ip": [ - "10.126.245.73", - "10.91.2.135" + "10.91.2.135", + "10.126.245.73" ], "related.user": [ "olore" @@ -4970,6 +5330,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 2313, + "related.hosts": [ + "abori7686.internal.host", + "emi4534.www.localdomain" + ], "related.ip": [ "10.137.85.123", "10.183.243.246" @@ -5025,6 +5389,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1585, + "related.hosts": [ + "reprehen3513.test", + "inimav1576.mail.example" + ], "related.ip": [ "10.61.225.196", "10.10.86.55" @@ -5080,6 +5448,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 3141, + "related.hosts": [ + "orroquis284.api.domain", + "aturQu7083.mail.host" + ], "related.ip": [ "10.79.73.195", "10.125.143.153" @@ -5135,6 +5507,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6331, + "related.hosts": [ + "tionula2060.www5.localhost", + "lumqui7769.mail.local" + ], "related.ip": [ "10.64.139.17", "10.240.216.85" @@ -5190,9 +5566,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4474, + "related.hosts": [ + "rumSecti111.www5.domain", + "siarc6339.internal.corp" + ], "related.ip": [ - "10.87.90.49", - "10.222.245.80" + "10.222.245.80", + "10.87.90.49" ], "related.user": [ "ptatemse" @@ -5245,6 +5625,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4855, + "related.hosts": [ + "olores7881.local", + "ptatev6552.www.test" + ], "related.ip": [ "10.87.144.208", "10.143.53.214" @@ -5300,6 +5684,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 1729, + "related.hosts": [ + "tDuis3281.www5.localdomain", + "byC5766.internal.home" + ], "related.ip": [ "10.105.97.134", "10.204.178.19" @@ -5355,9 +5743,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 4493, + "related.hosts": [ + "uptasnul2751.www5.corp", + "hender6628.local" + ], "related.ip": [ - "10.161.64.168", - "10.194.67.223" + "10.194.67.223", + "10.161.64.168" ], "related.user": [ "tion" @@ -5410,9 +5802,13 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 6094, + "related.hosts": [ + "upt6017.api.localdomain", + "xercit7649.www5.home" + ], "related.ip": [ - "10.100.154.220", - "10.120.148.241" + "10.120.148.241", + "10.100.154.220" ], "related.user": [ "rsitam" @@ -5465,6 +5861,10 @@ "observer.type": "Anti-Virus", "observer.vendor": "Fortinet", "process.pid": 5012, + "related.hosts": [ + "tpers2217.internal.lan", + "porissu1470.domain" + ], "related.ip": [ "10.180.90.112", "10.116.153.19" diff --git a/x-pack/filebeat/module/fortinet/fortimail/config/input.yml b/x-pack/filebeat/module/fortinet/fortimail/config/input.yml index a994af47a3b..ccee80408a8 100644 --- a/x-pack/filebeat/module/fortinet/fortimail/config/input.yml +++ b/x-pack/filebeat/module/fortinet/fortimail/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml index ef17c6f4130..aff06252131 100644 --- a/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml +++ b/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml @@ -53,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{server.domain}}' + allow_duplicates: false + if: ctx?.server?.domain != null on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json index a6b2f00ef54..e3803f80ef3 100644 --- a/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/fortimail/test/generated.log-expected.json @@ -586,6 +586,9 @@ "observer.product": "FortiMail", "observer.type": "Firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "lamcolab3252.www.invalid" + ], "related.ip": [ "10.179.124.125", "10.177.36.38" @@ -991,8 +994,8 @@ "observer.type": "Firewall", "observer.vendor": "Fortinet", "related.ip": [ - "10.140.7.83", - "10.68.246.187" + "10.68.246.187", + "10.140.7.83" ], "rsa.email.email_dst": "gna", "rsa.email.email_src": "icabo", @@ -1241,6 +1244,9 @@ "observer.product": "FortiMail", "observer.type": "Firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "atise3421.www5.localdomain" + ], "related.ip": [ "10.179.210.218", "10.73.207.70" @@ -2640,9 +2646,12 @@ "observer.product": "FortiMail", "observer.type": "Firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "mveni5084.internal.local" + ], "related.ip": [ - "10.62.61.1", - "10.144.111.42" + "10.144.111.42", + "10.62.61.1" ], "rsa.email.email_dst": "com", "rsa.email.email_src": "lam", @@ -3081,6 +3090,9 @@ "observer.product": "FortiMail", "observer.type": "Firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "taevitae6868.www.corp" + ], "related.ip": [ "10.60.164.100", "10.161.1.146" @@ -3178,9 +3190,12 @@ "observer.product": "FortiMail", "observer.type": "Firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "tetura7106.www5.corp" + ], "related.ip": [ - "10.44.35.57", - "10.93.239.216" + "10.93.239.216", + "10.44.35.57" ], "rsa.email.email_dst": "ciun", "rsa.email.email_src": "vento", @@ -3779,8 +3794,8 @@ "observer.type": "Firewall", "observer.vendor": "Fortinet", "related.ip": [ - "10.201.105.58", - "10.251.183.113" + "10.251.183.113", + "10.201.105.58" ], "rsa.email.email_dst": "ionemu", "rsa.email.email_src": "ent", diff --git a/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml b/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml index 5d399e10da5..735db765ff8 100644 --- a/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml +++ b/x-pack/filebeat/module/fortinet/fortimanager/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml index 8452bb6c2bf..85a7dfc44e7 100644 --- a/x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml +++ b/x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml @@ -53,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json index 58b8f8f4689..78030aa2c53 100644 --- a/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/fortimanager/test/generated.log-expected.json @@ -90,9 +90,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.410", + "related.hosts": [ + "aer445.host" + ], "related.ip": [ - "10.62.4.246", - "10.171.204.166" + "10.171.204.166", + "10.62.4.246" ], "related.user": [ "oluptas" @@ -102,8 +105,8 @@ "rsa.investigations.event_vcat": "eius", "rsa.misc.OS": "anonnu", "rsa.misc.action": [ - "mol", - "accept" + "accept", + "mol" ], "rsa.misc.category": "exe", "rsa.misc.client": "radip", @@ -177,9 +180,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.200.188.142", "10.94.103.117", - "10.15.159.80" + "10.15.159.80", + "10.200.188.142" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -241,9 +244,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.50.112.141", "10.131.233.27", - "10.27.88.95" + "10.27.88.95", + "10.50.112.141" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -307,6 +310,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.5670", + "related.hosts": [ + "olo7148.mail.home" + ], "related.ip": [ "10.87.212.179", "10.157.213.15" @@ -319,8 +325,8 @@ "rsa.investigations.event_vcat": "aveniam", "rsa.misc.OS": "oll", "rsa.misc.action": [ - "allow", - "ali" + "ali", + "allow" ], "rsa.misc.category": "emeumfug", "rsa.misc.client": "caecatc", @@ -395,6 +401,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.152", + "related.hosts": [ + "agna7678.internal.host" + ], "related.ip": [ "10.76.73.140", "10.114.150.67" @@ -407,8 +416,8 @@ "rsa.investigations.event_vcat": "mwr", "rsa.misc.OS": "imaven", "rsa.misc.action": [ - "accept", - "uines" + "uines", + "accept" ], "rsa.misc.category": "uidolo", "rsa.misc.client": "emips", @@ -483,9 +492,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.4059", + "related.hosts": [ + "equep5085.mail.domain" + ], "related.ip": [ - "10.195.36.51", - "10.95.64.124" + "10.95.64.124", + "10.195.36.51" ], "related.user": [ "nnum" @@ -495,8 +507,8 @@ "rsa.investigations.event_vcat": "quae", "rsa.misc.OS": "qui", "rsa.misc.action": [ - "iadese", - "accept" + "accept", + "iadese" ], "rsa.misc.category": "aturve", "rsa.misc.client": "utei", @@ -570,8 +582,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.176.216.90", "10.114.16.155", + "10.176.216.90", "10.186.85.3" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -635,6 +647,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.3917", + "related.hosts": [ + "eturadi6608.mail.host" + ], "related.ip": [ "10.61.163.4", "10.23.62.94" @@ -647,8 +662,8 @@ "rsa.investigations.event_vcat": "oide", "rsa.misc.OS": "gel", "rsa.misc.action": [ - "cancel", - "luptatem" + "luptatem", + "cancel" ], "rsa.misc.category": "uir", "rsa.misc.client": "ratvolu", @@ -723,9 +738,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.2580", + "related.hosts": [ + "ipsumdol4488.api.localdomain" + ], "related.ip": [ - "10.28.76.42", - "10.106.31.86" + "10.106.31.86", + "10.28.76.42" ], "related.user": [ "cons" @@ -811,8 +829,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.238.164.74", - "10.58.214.16", - "10.106.162.153" + "10.106.162.153", + "10.58.214.16" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -874,8 +892,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.217.150.196", "10.110.31.190", + "10.217.150.196", "10.225.141.20" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -939,9 +957,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.3319", + "related.hosts": [ + "cusant4946.www.domain" + ], "related.ip": [ - "10.137.56.173", - "10.69.103.176" + "10.69.103.176", + "10.137.56.173" ], "related.user": [ "proide" @@ -1026,9 +1047,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.30.47.165", "10.5.235.217", - "10.25.212.118" + "10.25.212.118", + "10.30.47.165" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -1091,9 +1112,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.225", + "related.hosts": [ + "ccaeca5504.internal.example" + ], "related.ip": [ - "10.40.152.253", - "10.149.13.76" + "10.149.13.76", + "10.40.152.253" ], "related.user": [ "tetur" @@ -1307,6 +1331,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.1847", + "related.hosts": [ + "tore7088.www.invalid" + ], "related.ip": [ "10.199.47.220", "10.212.214.4" @@ -1395,9 +1422,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.760", + "related.hosts": [ + "mve1890.internal.home" + ], "related.ip": [ - "10.234.165.130", - "10.46.56.204" + "10.46.56.204", + "10.234.165.130" ], "related.user": [ "orese" @@ -1483,9 +1513,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.4450", + "related.hosts": [ + "eturad6143.www.home" + ], "related.ip": [ - "10.95.117.134", - "10.128.46.70" + "10.128.46.70", + "10.95.117.134" ], "related.user": [ "enim" @@ -1495,8 +1528,8 @@ "rsa.investigations.event_vcat": "boNem", "rsa.misc.OS": "ntium", "rsa.misc.action": [ - "acommodi", - "block" + "block", + "acommodi" ], "rsa.misc.category": "inrepreh", "rsa.misc.client": "moles", @@ -1571,9 +1604,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.7544", + "related.hosts": [ + "orinrep5386.www.corp" + ], "related.ip": [ - "10.208.21.135", - "10.253.228.140" + "10.253.228.140", + "10.208.21.135" ], "related.user": [ "inculp" @@ -1583,8 +1619,8 @@ "rsa.investigations.event_vcat": "emagn", "rsa.misc.OS": "oditempo", "rsa.misc.action": [ - "cancel", - "ugitse" + "ugitse", + "cancel" ], "rsa.misc.category": "magnid", "rsa.misc.client": "sci", @@ -1659,9 +1695,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.1710", + "related.hosts": [ + "henderi724.www5.home" + ], "related.ip": [ - "10.243.226.122", - "10.3.23.172" + "10.3.23.172", + "10.243.226.122" ], "related.user": [ "olorem" @@ -1671,8 +1710,8 @@ "rsa.investigations.event_vcat": "ess", "rsa.misc.OS": "equatDu", "rsa.misc.action": [ - "emullamc", - "cancel" + "cancel", + "emullamc" ], "rsa.misc.category": "niamquis", "rsa.misc.client": "tutlabo", @@ -1747,9 +1786,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.5380", + "related.hosts": [ + "reseosqu1629.mail.lan" + ], "related.ip": [ - "10.94.242.80", - "10.106.85.174" + "10.106.85.174", + "10.94.242.80" ], "related.user": [ "lmo" @@ -1835,9 +1877,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.168.20.20", "10.117.63.181", - "10.247.53.179" + "10.247.53.179", + "10.168.20.20" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -1901,6 +1943,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.2208", + "related.hosts": [ + "tasnul4179.internal.host" + ], "related.ip": [ "10.141.156.217", "10.53.168.187" @@ -1913,8 +1958,8 @@ "rsa.investigations.event_vcat": "illumq", "rsa.misc.OS": "idata", "rsa.misc.action": [ - "block", - "emacc" + "emacc", + "block" ], "rsa.misc.category": "ueporro", "rsa.misc.client": "veli", @@ -1990,6 +2035,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.3402", + "related.hosts": [ + "bore5546.www.local" + ], "related.ip": [ "10.44.198.184", "10.189.82.19" @@ -2002,8 +2050,8 @@ "rsa.investigations.event_vcat": "eturadip", "rsa.misc.OS": "turadip", "rsa.misc.action": [ - "odoc", - "accept" + "accept", + "odoc" ], "rsa.misc.category": "volup", "rsa.misc.client": "tur", @@ -2078,6 +2126,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.91", + "related.hosts": [ + "Utenima260.mail.invalid" + ], "related.ip": [ "10.151.170.207", "10.181.183.104" @@ -2090,8 +2141,8 @@ "rsa.investigations.event_vcat": "eturadip", "rsa.misc.OS": "onsecte", "rsa.misc.action": [ - "amni", - "cancel" + "cancel", + "amni" ], "rsa.misc.category": "umdolore", "rsa.misc.client": "modoc", @@ -2166,6 +2217,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.7278", + "related.hosts": [ + "uido2046.mail.lan" + ], "related.ip": [ "10.70.7.23", "10.130.240.11" @@ -2178,8 +2232,8 @@ "rsa.investigations.event_vcat": "uatu", "rsa.misc.OS": "tnulapar", "rsa.misc.action": [ - "odic", - "deny" + "deny", + "odic" ], "rsa.misc.category": "deri", "rsa.misc.client": "scivelit", @@ -2318,8 +2372,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.170.196.181", - "10.153.166.133", - "10.158.175.98" + "10.158.175.98", + "10.153.166.133" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -2382,9 +2436,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.5978", + "related.hosts": [ + "con6049.internal.lan" + ], "related.ip": [ - "10.63.171.91", - "10.48.25.200" + "10.48.25.200", + "10.63.171.91" ], "related.user": [ "usanti" @@ -2533,9 +2590,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.225.37.73", + "10.166.142.198", "10.36.99.207", - "10.166.142.198" + "10.225.37.73" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -2598,8 +2655,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.214.156.161", - "10.66.90.225", - "10.145.194.12" + "10.145.194.12", + "10.66.90.225" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -2661,8 +2718,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.163.36.101", "10.156.208.5", + "10.163.36.101", "10.6.242.108" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -2726,6 +2783,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.4713", + "related.hosts": [ + "remeum2641.www5.corp" + ], "related.ip": [ "10.68.233.163", "10.220.148.127" @@ -2814,9 +2874,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.4481", + "related.hosts": [ + "itaspe3216.localdomain" + ], "related.ip": [ - "10.94.177.125", - "10.116.82.108" + "10.116.82.108", + "10.94.177.125" ], "related.user": [ "ecatc" @@ -2826,8 +2889,8 @@ "rsa.investigations.event_vcat": "ihi", "rsa.misc.OS": "amquaera", "rsa.misc.action": [ - "nimides", - "allow" + "allow", + "nimides" ], "rsa.misc.category": "mve", "rsa.misc.client": "plica", @@ -2903,9 +2966,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.4442", + "related.hosts": [ + "mea6298.api.example" + ], "related.ip": [ - "10.115.121.243", - "10.113.152.241" + "10.113.152.241", + "10.115.121.243" ], "related.user": [ "norumetM" @@ -2915,8 +2981,8 @@ "rsa.investigations.event_vcat": "teirured", "rsa.misc.OS": "oloremi", "rsa.misc.action": [ - "ali", - "cancel" + "cancel", + "ali" ], "rsa.misc.category": "idolor", "rsa.misc.client": "imveni", @@ -2991,6 +3057,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.3804", + "related.hosts": [ + "iqu7510.internal.corp" + ], "related.ip": [ "10.49.82.45", "10.179.153.97" @@ -3079,8 +3148,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.205.83.138", - "10.99.55.115", - "10.98.52.184" + "10.98.52.184", + "10.99.55.115" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -3142,9 +3211,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ + "10.197.128.162", "10.228.11.50", - "10.90.189.248", - "10.197.128.162" + "10.90.189.248" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -3247,9 +3316,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.7318", + "related.hosts": [ + "deFinibu3940.internal.lan" + ], "related.ip": [ - "10.124.71.88", - "10.22.248.52" + "10.22.248.52", + "10.124.71.88" ], "related.user": [ "tcons" @@ -3335,9 +3407,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.4895", + "related.hosts": [ + "tatiset4191.localdomain" + ], "related.ip": [ - "10.185.37.176", - "10.26.58.20" + "10.26.58.20", + "10.185.37.176" ], "related.user": [ "eumiure" @@ -3423,8 +3498,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.14.145.107", - "10.250.231.196", - "10.200.12.126" + "10.200.12.126", + "10.250.231.196" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -3550,9 +3625,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.140.59.161", + "10.5.67.140", "10.118.111.183", - "10.5.67.140" + "10.140.59.161" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -3615,6 +3690,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.4493", + "related.hosts": [ + "nimadmi4084.api.home" + ], "related.ip": [ "10.7.70.169", "10.28.212.191" @@ -3627,8 +3705,8 @@ "rsa.investigations.event_vcat": "Loremips", "rsa.misc.OS": "eritquii", "rsa.misc.action": [ - "nostru", - "accept" + "accept", + "nostru" ], "rsa.misc.category": "amnisiu", "rsa.misc.client": "rcita", @@ -3703,6 +3781,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.6506", + "related.hosts": [ + "reprehe3525.www5.example" + ], "related.ip": [ "10.143.144.52", "10.148.197.60" @@ -3715,8 +3796,8 @@ "rsa.investigations.event_vcat": "uep", "rsa.misc.OS": "iatisund", "rsa.misc.action": [ - "nvo", - "block" + "block", + "nvo" ], "rsa.misc.category": "tenima", "rsa.misc.client": "iuntNe", @@ -3790,8 +3871,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.22.149.132", "10.217.145.137", + "10.22.149.132", "10.251.183.113" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -3854,8 +3935,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.203.66.175", "10.51.60.203", + "10.203.66.175", "10.183.16.252" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -3919,6 +4000,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.409", + "related.hosts": [ + "ursint411.www.lan" + ], "related.ip": [ "10.61.200.105", "10.157.14.165" @@ -4007,9 +4091,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.5475", + "related.hosts": [ + "ididunt7607.mail.localhost" + ], "related.ip": [ - "10.242.178.15", - "10.217.111.77" + "10.217.111.77", + "10.242.178.15" ], "related.user": [ "nimadmin" @@ -4095,6 +4182,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.142", + "related.hosts": [ + "mco2906.domain" + ], "related.ip": [ "10.199.119.251", "10.86.152.227" @@ -4183,6 +4273,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.1789", + "related.hosts": [ + "ntex5135.corp" + ], "related.ip": [ "10.239.194.105", "10.234.171.117" @@ -4195,8 +4288,8 @@ "rsa.investigations.event_vcat": "uia", "rsa.misc.OS": "mquae", "rsa.misc.action": [ - "tenatus", - "deny" + "deny", + "tenatus" ], "rsa.misc.category": "abo", "rsa.misc.client": "umtota", @@ -4271,9 +4364,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.249.16.201", "10.107.168.208", - "10.34.41.75" + "10.34.41.75", + "10.249.16.201" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -4336,6 +4429,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.6905", + "related.hosts": [ + "tat1845.internal.invalid" + ], "related.ip": [ "10.109.106.194", "10.96.168.24" @@ -4348,8 +4444,8 @@ "rsa.investigations.event_vcat": "agnaaliq", "rsa.misc.OS": "itte", "rsa.misc.action": [ - "allow", - "Sedut" + "Sedut", + "allow" ], "rsa.misc.category": "aqueip", "rsa.misc.client": "serr", @@ -4424,6 +4520,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.1353", + "related.hosts": [ + "ulamc767.internal.lan" + ], "related.ip": [ "10.47.191.95", "10.112.155.228" @@ -4512,8 +4611,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.103.169.94", - "10.140.137.17", - "10.62.241.218" + "10.62.241.218", + "10.140.137.17" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -4575,9 +4674,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.90.229.92", "10.251.212.166", - "10.77.105.160" + "10.77.105.160", + "10.90.229.92" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -4640,9 +4739,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.4261", + "related.hosts": [ + "spici5547.internal.test" + ], "related.ip": [ - "10.216.49.112", - "10.112.242.68" + "10.112.242.68", + "10.216.49.112" ], "related.user": [ "urmag" @@ -4728,9 +4830,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.491", + "related.hosts": [ + "istenatu3686.invalid" + ], "related.ip": [ - "10.96.100.84", - "10.182.58.108" + "10.182.58.108", + "10.96.100.84" ], "related.user": [ "lpaquiof" @@ -4740,8 +4845,8 @@ "rsa.investigations.event_vcat": "uatDuisa", "rsa.misc.OS": "citation", "rsa.misc.action": [ - "accept", - "utlabore" + "utlabore", + "accept" ], "rsa.misc.category": "reeu", "rsa.misc.client": "ntut", @@ -4816,8 +4921,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.246.41.77", - "10.157.22.21", - "10.228.61.5" + "10.228.61.5", + "10.157.22.21" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -4879,9 +4984,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.188.131.18", + "10.242.119.111", "10.239.231.168", - "10.242.119.111" + "10.188.131.18" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -4944,9 +5049,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.979", + "related.hosts": [ + "tru3812.mail.lan" + ], "related.ip": [ - "10.106.101.87", - "10.247.124.74" + "10.247.124.74", + "10.106.101.87" ], "related.user": [ "ainci" @@ -4956,8 +5064,8 @@ "rsa.investigations.event_vcat": "amnihil", "rsa.misc.OS": "tten", "rsa.misc.action": [ - "accept", - "inea" + "inea", + "accept" ], "rsa.misc.category": "quam", "rsa.misc.client": "oreseo", @@ -5072,9 +5180,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.4342", + "related.hosts": [ + "riaturE1644.www5.example" + ], "related.ip": [ - "10.162.114.52", - "10.215.144.167" + "10.215.144.167", + "10.162.114.52" ], "related.user": [ "erspici" @@ -5160,6 +5271,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.6452", + "related.hosts": [ + "mdolo7008.api.corp" + ], "related.ip": [ "10.162.128.87", "10.78.75.82" @@ -5247,9 +5361,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ + "10.75.198.93", "10.137.36.151", - "10.51.106.43", - "10.75.198.93" + "10.51.106.43" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -5376,9 +5490,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.5718", + "related.hosts": [ + "itse5466.api.example" + ], "related.ip": [ - "10.26.4.3", - "10.217.209.221" + "10.217.209.221", + "10.26.4.3" ], "related.user": [ "ciduntut" @@ -5388,8 +5505,8 @@ "rsa.investigations.event_vcat": "santiumd", "rsa.misc.OS": "oris", "rsa.misc.action": [ - "rsitame", - "deny" + "deny", + "rsitame" ], "rsa.misc.category": "agnaal", "rsa.misc.client": "urmagn", @@ -5464,6 +5581,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.6603", + "related.hosts": [ + "dquiac6194.api.lan" + ], "related.ip": [ "10.241.140.241", "10.180.162.174" @@ -5476,8 +5596,8 @@ "rsa.investigations.event_vcat": "luptatev", "rsa.misc.OS": "emipsu", "rsa.misc.action": [ - "accept", - "ido" + "ido", + "accept" ], "rsa.misc.category": "litse", "rsa.misc.client": "evita", @@ -5552,9 +5672,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.2052", + "related.hosts": [ + "amco1592.mail.host" + ], "related.ip": [ - "10.62.140.108", - "10.110.99.222" + "10.110.99.222", + "10.62.140.108" ], "related.user": [ "moenimi" @@ -5564,8 +5687,8 @@ "rsa.investigations.event_vcat": "atvolupt", "rsa.misc.OS": "riosam", "rsa.misc.action": [ - "deny", - "ssitasp" + "ssitasp", + "deny" ], "rsa.misc.category": "enimadmi", "rsa.misc.client": "uatDui", @@ -5640,9 +5763,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.2691", + "related.hosts": [ + "dicta7226.mail.example" + ], "related.ip": [ - "10.4.244.115", - "10.53.50.77" + "10.53.50.77", + "10.4.244.115" ], "related.user": [ "idolo" @@ -5652,8 +5778,8 @@ "rsa.investigations.event_vcat": "cupidata", "rsa.misc.OS": "ficiade", "rsa.misc.action": [ - "accept", - "lorem" + "lorem", + "accept" ], "rsa.misc.category": "iac", "rsa.misc.client": "tlabo", @@ -5728,8 +5854,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.236.211.111", - "10.221.100.157", - "10.120.212.78" + "10.120.212.78", + "10.221.100.157" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -5792,9 +5918,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.3052", + "related.hosts": [ + "pidatatn2627.www.localdomain" + ], "related.ip": [ - "10.208.231.15", - "10.210.82.202" + "10.210.82.202", + "10.208.231.15" ], "related.user": [ "riatur" @@ -5879,8 +6008,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.226.255.3", "10.123.59.69", + "10.226.255.3", "10.53.251.202" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -6008,9 +6137,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.95", + "related.hosts": [ + "emveleu4029.api.local" + ], "related.ip": [ - "10.236.175.163", - "10.126.11.186" + "10.126.11.186", + "10.236.175.163" ], "related.user": [ "udantiu" @@ -6020,8 +6152,8 @@ "rsa.investigations.event_vcat": "ill", "rsa.misc.OS": "eabill", "rsa.misc.action": [ - "cancel", - "atemqui" + "atemqui", + "cancel" ], "rsa.misc.category": "idatatno", "rsa.misc.client": "res", @@ -6095,9 +6227,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.83.98.220", + "10.11.150.136", "10.171.60.173", - "10.11.150.136" + "10.83.98.220" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6159,9 +6291,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.74.88.209", "10.92.3.166", - "10.238.49.73" + "10.238.49.73", + "10.74.88.209" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6224,8 +6356,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.119.248.36", - "10.84.200.121", - "10.187.107.47" + "10.187.107.47", + "10.84.200.121" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6287,9 +6419,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ + "10.135.213.17", "10.167.128.229", - "10.30.239.222", - "10.135.213.17" + "10.30.239.222" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6352,6 +6484,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.1028", + "related.hosts": [ + "rspic5637.api.local" + ], "related.ip": [ "10.169.133.219", "10.115.166.48" @@ -6364,8 +6499,8 @@ "rsa.investigations.event_vcat": "iumdol", "rsa.misc.OS": "min", "rsa.misc.action": [ - "block", - "eleumiur" + "eleumiur", + "block" ], "rsa.misc.category": "ero", "rsa.misc.client": "gia", @@ -6440,6 +6575,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.4195", + "related.hosts": [ + "rror3870.www5.local" + ], "related.ip": [ "10.146.255.40", "10.226.39.82" @@ -6591,9 +6729,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ + "10.66.149.234", "10.186.253.240", - "10.233.128.7", - "10.66.149.234" + "10.233.128.7" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6655,9 +6793,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.173.140.201", "10.227.133.134", - "10.46.11.114" + "10.46.11.114", + "10.173.140.201" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6719,9 +6857,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.205.18.11", "10.69.130.207", - "10.170.236.123" + "10.170.236.123", + "10.205.18.11" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6784,6 +6922,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.2682", + "related.hosts": [ + "velill3821.mail.invalid" + ], "related.ip": [ "10.97.254.192", "10.124.34.251" @@ -6796,8 +6937,8 @@ "rsa.investigations.event_vcat": "lica", "rsa.misc.OS": "taedi", "rsa.misc.action": [ - "imide", - "deny" + "deny", + "imide" ], "rsa.misc.category": "iurere", "rsa.misc.client": "ollitan", @@ -6871,9 +7012,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ + "10.9.41.221", "10.81.58.91", - "10.204.98.238", - "10.9.41.221" + "10.204.98.238" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -6975,8 +7116,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.212.208.70", "10.35.84.125", + "10.212.208.70", "10.37.120.29" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -7039,8 +7180,8 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "related.ip": [ - "10.207.207.106", "10.199.201.26", + "10.207.207.106", "10.143.65.84" ], "rsa.internal.messageid": "generic_fortinetmgr_1", @@ -7104,8 +7245,8 @@ "observer.vendor": "Fortinet", "related.ip": [ "10.41.61.88", - "10.163.236.253", - "10.204.27.48" + "10.204.27.48", + "10.163.236.253" ], "rsa.internal.messageid": "generic_fortinetmgr_1", "rsa.misc.action": [ @@ -7233,6 +7374,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.802", + "related.hosts": [ + "cupida6106.www5.local" + ], "related.ip": [ "10.146.77.206", "10.109.172.90" @@ -7245,8 +7389,8 @@ "rsa.investigations.event_vcat": "lupt", "rsa.misc.OS": "etdolo", "rsa.misc.action": [ - "allow", - "amnihilm" + "amnihilm", + "allow" ], "rsa.misc.category": "ntin", "rsa.misc.client": "xcep", @@ -7321,9 +7465,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.2314", + "related.hosts": [ + "unt2122.internal.local" + ], "related.ip": [ - "10.38.18.72", - "10.202.250.141" + "10.202.250.141", + "10.38.18.72" ], "related.user": [ "maperia" @@ -7333,8 +7480,8 @@ "rsa.investigations.event_vcat": "rure", "rsa.misc.OS": "iquidexe", "rsa.misc.action": [ - "allow", - "volu" + "volu", + "allow" ], "rsa.misc.category": "ium", "rsa.misc.client": "liquip", @@ -7409,9 +7556,12 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.4674", + "related.hosts": [ + "luptat2613.internal.localhost" + ], "related.ip": [ - "10.139.144.75", - "10.182.124.88" + "10.182.124.88", + "10.139.144.75" ], "related.user": [ "modo" @@ -7421,8 +7571,8 @@ "rsa.investigations.event_vcat": "tfug", "rsa.misc.OS": "imipsam", "rsa.misc.action": [ - "block", - "utodi" + "utodi", + "block" ], "rsa.misc.category": "cid", "rsa.misc.client": "mquaerat", @@ -7497,6 +7647,9 @@ "observer.type": "Configuration", "observer.vendor": "Fortinet", "observer.version": "1.1386", + "related.hosts": [ + "neavo4796.internal.domain" + ], "related.ip": [ "10.188.124.185", "10.35.10.19" diff --git a/x-pack/filebeat/module/imperva/securesphere/config/input.yml b/x-pack/filebeat/module/imperva/securesphere/config/input.yml index 68b88a27df5..e9d408c7b22 100644 --- a/x-pack/filebeat/module/imperva/securesphere/config/input.yml +++ b/x-pack/filebeat/module/imperva/securesphere/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml b/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml index 3ff3b353c28..817b256c777 100644 --- a/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml +++ b/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml @@ -53,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.hostname}}' + allow_duplicates: false + if: ctx?.host?.hostname != null on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json index 555b06cb1da..7894d6ff317 100644 --- a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json +++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json @@ -19,9 +19,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "radipis5408.mail.local" + ], "related.ip": [ - "10.70.155.35", - "10.81.122.126" + "10.81.122.126", + "10.70.155.35" ], "related.user": [ "magn", @@ -105,14 +108,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "ccusan7572.api.home" + ], "related.ip": [ - "10.159.182.171", - "10.58.116.231" + "10.58.116.231", + "10.159.182.171" ], "related.user": [ - "qua", + "temUten", "uradi", - "temUten" + "qua" ], "rsa.counters.dclass_c1": 3626, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -160,13 +166,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "elaudant5931.internal.invalid" + ], "related.ip": [ - "10.18.124.28", - "10.232.27.250" + "10.232.27.250", + "10.18.124.28" ], "related.user": [ - "lapariat", "modocons", + "lapariat", "mquidol" ], "rsa.counters.dclass_c1": 6564, @@ -221,14 +230,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "amest4147.mail.host" + ], "related.ip": [ - "10.197.250.10", - "10.6.137.200" + "10.6.137.200", + "10.197.250.10" ], "related.user": [ "oluptas", - "intoc", - "occae" + "occae", + "intoc" ], "rsa.counters.event_counter": 7243, "rsa.db.database": "tNequepo", @@ -287,14 +299,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "eratv6205.internal.lan" + ], "related.ip": [ "10.179.124.125", "10.36.194.106" ], "related.user": [ - "acommod", + "ncidid", "reme", - "ncidid" + "acommod" ], "rsa.counters.event_counter": 2462, "rsa.db.database": "uaUteni", @@ -351,14 +366,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "didunt1355.corp" + ], "related.ip": [ - "10.211.105.204", - "10.129.149.43" + "10.129.149.43", + "10.211.105.204" ], "related.user": [ - "orema", + "eveli", "labor", - "eveli" + "orema" ], "rsa.counters.dclass_c1": 6855, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -410,13 +428,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "pora6854.www5.home" + ], "related.ip": [ "10.214.191.180", "10.112.250.193" ], "related.user": [ - "ide", "Exc", + "ide", "ipsumdol" ], "rsa.counters.dclass_c1": 6852, @@ -468,14 +489,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "ptasn6599.www.localhost" + ], "related.ip": [ - "10.251.20.13", - "10.192.34.76" + "10.192.34.76", + "10.251.20.13" ], "related.user": [ - "ovol", + "iquipe", "tnonpro", - "iquipe" + "ovol" ], "rsa.counters.dclass_c1": 3645, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -523,14 +547,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "ptasnu6684.mail.lan" + ], "related.ip": [ "10.74.105.218", "10.59.138.212" ], "related.user": [ - "boree", "idunt", - "archite" + "archite", + "boree" ], "rsa.counters.dclass_c1": 248, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -582,6 +609,9 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "rinre2977.api.corp" + ], "related.ip": [ "10.230.173.4", "10.168.159.13" @@ -641,14 +671,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "atevelit2450.local" + ], "related.ip": [ "10.41.21.204", "10.49.167.57" ], "related.user": [ - "tali", + "ccaeca", "sau", - "ccaeca" + "tali" ], "rsa.counters.dclass_c1": 6818, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -702,22 +735,25 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "itla658.api.localhost" + ], "related.ip": [ "10.62.147.186", "10.216.125.252" ], "related.user": [ - "lorsita", "dolore", - "llamco" + "llamco", + "lorsita" ], "rsa.counters.event_counter": 4603, "rsa.db.database": "uptate", "rsa.internal.event_desc": "aquae", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "quasia", - "accept" + "accept", + "quasia" ], "rsa.misc.category": "boreetdo", "rsa.misc.disposition": "aturve", @@ -769,22 +805,25 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "umdolor4389.api.home" + ], "related.ip": [ "10.52.125.9", "10.204.128.215" ], "related.user": [ "nci", - "rum", - "paquioff" + "paquioff", + "rum" ], "rsa.counters.event_counter": 332, "rsa.db.database": "isau", "rsa.internal.event_desc": "rumet", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "deny", - "texpli" + "texpli", + "deny" ], "rsa.misc.category": "verita", "rsa.misc.disposition": "sectet", @@ -832,14 +871,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "rationev6444.localhost" + ], "related.ip": [ "10.34.148.166", "10.200.68.129" ], "related.user": [ "icabo", - "untutlab", - "miu" + "miu", + "untutlab" ], "rsa.counters.dclass_c1": 5427, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -887,14 +929,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "ipi7727.www5.domain" + ], "related.ip": [ "10.134.5.40", "10.226.101.180" ], "related.user": [ "siu", - "licabo", - "conse" + "conse", + "licabo" ], "rsa.counters.dclass_c1": 6356, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -946,14 +991,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "spernatu5539.domain" + ], "related.ip": [ - "10.126.26.131", - "10.30.98.10" + "10.30.98.10", + "10.126.26.131" ], "related.user": [ "dipisci", - "velite", - "olori" + "olori", + "velite" ], "rsa.counters.dclass_c1": 7717, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1005,9 +1053,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "nimid372.api.corp" + ], "related.ip": [ - "10.190.10.219", - "10.233.120.207" + "10.233.120.207", + "10.190.10.219" ], "related.user": [ "item", @@ -1092,14 +1143,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "maliquam2147.internal.home" + ], "related.ip": [ "10.100.98.56", "10.248.184.200" ], "related.user": [ - "boru", "ritati", - "proident" + "proident", + "boru" ], "rsa.counters.dclass_c1": 5923, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1151,14 +1205,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "olabor2983.internal.localhost" + ], "related.ip": [ - "10.82.28.220", - "10.197.6.245" + "10.197.6.245", + "10.82.28.220" ], "related.user": [ - "aecatcup", + "oluptat", "dtempo", - "oluptat" + "aecatcup" ], "rsa.counters.dclass_c1": 3071, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1210,9 +1267,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "hitec2111.mail.corp" + ], "related.ip": [ - "10.6.27.103", - "10.167.252.183" + "10.167.252.183", + "10.6.27.103" ], "related.user": [ "redol", @@ -1271,22 +1331,25 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "adminim2559.www5.invalid" + ], "related.ip": [ "10.81.184.7", "10.88.45.111" ], "related.user": [ - "undeomni", + "lmole", "iameaque", - "lmole" + "undeomni" ], "rsa.counters.event_counter": 6344, "rsa.db.database": "nderi", "rsa.internal.event_desc": "iae", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "deny", - "illu" + "illu", + "deny" ], "rsa.misc.category": "quido", "rsa.misc.disposition": "emip", @@ -1336,14 +1399,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "dolorem6882.api.local" + ], "related.ip": [ - "10.214.3.140", - "10.29.119.245" + "10.29.119.245", + "10.214.3.140" ], "related.user": [ - "taliqui", "edolorin", - "scipitl" + "scipitl", + "taliqui" ], "rsa.counters.dclass_c1": 5140, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1397,14 +1463,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "temaccu5302.test" + ], "related.ip": [ - "10.218.123.234", - "10.110.133.7" + "10.110.133.7", + "10.218.123.234" ], "related.user": [ - "etconsec", + "caboNem", "pta", - "caboNem" + "etconsec" ], "rsa.counters.event_counter": 5347, "rsa.db.database": "urExcept", @@ -1462,14 +1531,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "nder347.www.corp" + ], "related.ip": [ - "10.182.152.242", - "10.105.190.170" + "10.105.190.170", + "10.182.152.242" ], "related.user": [ + "litan", "mquisn", - "doeiu", - "litan" + "doeiu" ], "rsa.counters.dclass_c1": 3474, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1523,14 +1595,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "idunt4633.internal.host" + ], "related.ip": [ "10.59.188.188", "10.123.166.197" ], "related.user": [ "emUte", - "min", - "liquam" + "liquam", + "min" ], "rsa.counters.event_counter": 7102, "rsa.db.database": "oluptat", @@ -1587,13 +1662,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "ectob4634.mail.localhost" + ], "related.ip": [ "10.72.75.207", "10.201.168.116" ], "related.user": [ - "eufug", "eFini", + "eufug", "urau" ], "rsa.counters.dclass_c1": 3348, @@ -1646,14 +1724,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "snu6436.www.local" + ], "related.ip": [ "10.9.46.123", "10.58.133.175" ], "related.user": [ + "oco", "mfu", - "nde", - "oco" + "nde" ], "rsa.counters.dclass_c1": 3795, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1705,13 +1786,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "lore7099.www.host" + ], "related.ip": [ "10.169.50.59", "10.70.29.203" ], "related.user": [ - "veniamq", "mquisnos", + "veniamq", "pta" ], "rsa.counters.dclass_c1": 2358, @@ -1764,14 +1848,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "lesti6939.api.local" + ], "related.ip": [ - "10.165.182.111", - "10.137.85.123" + "10.137.85.123", + "10.165.182.111" ], "related.user": [ + "ames", "Bonorum", - "sis", - "ames" + "sis" ], "rsa.counters.dclass_c1": 6401, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1853,14 +1940,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "upt6017.api.localdomain" + ], "related.ip": [ "10.64.184.196", "10.173.178.109" ], "related.user": [ - "uian", + "tam", "nesci", - "tam" + "uian" ], "rsa.counters.event_counter": 4493, "rsa.db.database": "sin", @@ -1918,13 +2008,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "turQuis4046.api.test" + ], "related.ip": [ - "10.168.225.209", - "10.90.50.149" + "10.90.50.149", + "10.168.225.209" ], "related.user": [ - "olupta", "aUtenima", + "olupta", "olu" ], "rsa.counters.dclass_c1": 1127, @@ -1977,13 +2070,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "con6049.internal.lan" + ], "related.ip": [ "10.59.182.36", "10.18.150.82" ], "related.user": [ - "luptat", "mtota", + "luptat", "qua" ], "rsa.counters.dclass_c1": 6112, @@ -2063,13 +2159,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "tatnonp1371.www.invalid" + ], "related.ip": [ - "10.228.229.144", - "10.151.240.35" + "10.151.240.35", + "10.228.229.144" ], "related.user": [ - "ama", "ametcons", + "ama", "lam" ], "rsa.counters.dclass_c1": 4325, @@ -2118,14 +2217,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "tium3542.internal.invalid" + ], "related.ip": [ "10.242.48.203", "10.147.142.242" ], "related.user": [ + "ese", "quisn", - "quasi", - "ese" + "quasi" ], "rsa.counters.dclass_c1": 3970, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2179,13 +2281,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "radipis3991.mail.invalid" + ], "related.ip": [ - "10.254.10.98", - "10.213.165.165" + "10.213.165.165", + "10.254.10.98" ], "related.user": [ - "eufugia", "civeli", + "eufugia", "ttenb" ], "rsa.counters.event_counter": 7365, @@ -2193,8 +2298,8 @@ "rsa.internal.event_desc": "culpaq", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "uptasn", - "cancel" + "cancel", + "uptasn" ], "rsa.misc.category": "quamq", "rsa.misc.disposition": "usan", @@ -2274,14 +2379,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "ihi7294.www5.localhost" + ], "related.ip": [ - "10.116.1.130", - "10.169.28.157" + "10.169.28.157", + "10.116.1.130" ], "related.user": [ "reseo", - "eturadip", - "amco" + "amco", + "eturadip" ], "rsa.counters.event_counter": 1295, "rsa.db.database": "ons", @@ -2339,14 +2447,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "caecat4920.api.host" + ], "related.ip": [ "10.29.138.31", "10.45.69.152" ], "related.user": [ "volupta", - "tsunt", - "umq" + "umq", + "tsunt" ], "rsa.counters.dclass_c1": 744, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2398,13 +2509,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "setquas6188.internal.local" + ], "related.ip": [ "10.100.113.11", "10.152.213.228" ], "related.user": [ - "itationu", "ptatev", + "itationu", "velillum" ], "rsa.counters.dclass_c1": 7245, @@ -2485,9 +2599,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "nibusBo3674.www5.localhost" + ], "related.ip": [ - "10.248.102.129", - "10.208.33.55" + "10.208.33.55", + "10.248.102.129" ], "related.user": [ "mremaper", @@ -2544,14 +2661,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "totamr7676.www5.home" + ], "related.ip": [ - "10.109.230.216", - "10.203.164.132" + "10.203.164.132", + "10.109.230.216" ], "related.user": [ - "ibus", "mporin", - "ectobea" + "ectobea", + "ibus" ], "rsa.counters.dclass_c1": 547, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2603,14 +2723,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "idents7231.mail.home" + ], "related.ip": [ "10.151.203.60", "10.117.81.75" ], "related.user": [ "iconsequ", - "dol", - "exeac" + "exeac", + "dol" ], "rsa.counters.dclass_c1": 484, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2662,14 +2785,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "tat50.mail.host" + ], "related.ip": [ - "10.45.152.205", - "10.224.217.153" + "10.224.217.153", + "10.45.152.205" ], "related.user": [ "eriti", - "imav", - "utlabo" + "utlabo", + "imav" ], "rsa.counters.dclass_c1": 922, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2722,6 +2848,9 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "mips3283.corp" + ], "related.ip": [ "10.1.193.187", "10.60.164.100" @@ -2786,14 +2915,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "aliquip7229.mail.domain" + ], "related.ip": [ - "10.146.228.234", - "10.248.244.203" + "10.248.244.203", + "10.146.228.234" ], "related.user": [ - "sum", "mquamei", - "eiusm" + "eiusm", + "sum" ], "rsa.counters.dclass_c1": 3058, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2841,6 +2973,9 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "fde7756.mail.corp" + ], "related.ip": [ "10.122.127.237", "10.86.121.152" @@ -2900,14 +3035,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "agnama5013.internal.example" + ], "related.ip": [ "10.201.223.119", "10.204.223.184" ], "related.user": [ + "rcit", "teni", - "tuserror", - "rcit" + "tuserror" ], "rsa.counters.dclass_c1": 4113, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2959,14 +3097,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "edictas4693.home" + ], "related.ip": [ "10.223.56.33", "10.200.12.126" ], "related.user": [ - "elitsedd", + "magnido", "Nequepo", - "magnido" + "elitsedd" ], "rsa.counters.dclass_c1": 3243, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3020,22 +3161,25 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "nibu2565.api.local" + ], "related.ip": [ - "10.65.225.101", - "10.94.89.177" + "10.94.89.177", + "10.65.225.101" ], "related.user": [ + "tuserror", "citation", - "emquel", - "tuserror" + "emquel" ], "rsa.counters.event_counter": 2513, "rsa.db.database": "rspiciat", "rsa.internal.event_desc": "atuse", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "eruntmol" + "eruntmol", + "cancel" ], "rsa.misc.category": "imad", "rsa.misc.disposition": "tura", @@ -3084,14 +3228,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "tsun7120.home" + ], "related.ip": [ "10.65.174.196", "10.191.184.105" ], "related.user": [ + "iin", "tione", - "uta", - "iin" + "uta" ], "rsa.counters.dclass_c1": 5836, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3141,22 +3288,25 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "lumquid6940.mail.localdomain" + ], "related.ip": [ - "10.224.148.48", - "10.41.181.179" + "10.41.181.179", + "10.224.148.48" ], "related.user": [ - "iosamn", "equepor", - "niam" + "niam", + "iosamn" ], "rsa.counters.event_counter": 7468, "rsa.db.database": "erspicia", "rsa.internal.event_desc": "ibusB", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "deny", - "rumwr" + "rumwr", + "deny" ], "rsa.misc.category": "rporis", "rsa.misc.disposition": "etco", @@ -3206,14 +3356,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "amcorp7299.api.example" + ], "related.ip": [ - "10.21.61.134", - "10.21.208.103" + "10.21.208.103", + "10.21.61.134" ], "related.user": [ + "ostr", "imidest", - "mipsa", - "ostr" + "mipsa" ], "rsa.counters.dclass_c1": 7766, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3265,14 +3418,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "magnama868.api.local" + ], "related.ip": [ - "10.221.192.116", - "10.23.6.216" + "10.23.6.216", + "10.221.192.116" ], "related.user": [ - "tevelite", + "iarchit", "iamquisn", - "iarchit" + "tevelite" ], "rsa.counters.dclass_c1": 639, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3326,22 +3482,25 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "tionevol3157.mail.invalid" + ], "related.ip": [ - "10.240.62.238", - "10.191.142.143" + "10.191.142.143", + "10.240.62.238" ], "related.user": [ + "nofde", "modtempo", - "animide", - "nofde" + "animide" ], "rsa.counters.event_counter": 7580, "rsa.db.database": "Lore", "rsa.internal.event_desc": "nto", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "ali" + "ali", + "cancel" ], "rsa.misc.category": "sciv", "rsa.misc.disposition": "tlabo", @@ -3392,14 +3551,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "mquis319.api.local" + ], "related.ip": [ - "10.111.22.134", - "10.178.79.217" + "10.178.79.217", + "10.111.22.134" ], "related.user": [ + "ccusan", "inibusBo", - "tqui", - "ccusan" + "tqui" ], "rsa.counters.event_counter": 3538, "rsa.db.database": "sequun", @@ -3456,14 +3618,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "urad5712.api.host" + ], "related.ip": [ "10.161.225.172", "10.77.86.215" ], "related.user": [ - "rcit", + "xerc", "meaqu", - "xerc" + "rcit" ], "rsa.counters.dclass_c1": 7286, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3514,9 +3679,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "enbyCic4659.www5.example" + ], "related.ip": [ - "10.211.161.187", - "10.186.133.184" + "10.186.133.184", + "10.211.161.187" ], "related.user": [ "boriosa", @@ -3568,14 +3736,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "inBCSed5308.api.corp" + ], "related.ip": [ - "10.160.147.230", - "10.254.198.47" + "10.254.198.47", + "10.160.147.230" ], "related.user": [ - "illoin", "nimvenia", - "ndeomnis" + "ndeomnis", + "illoin" ], "rsa.counters.dclass_c1": 5988, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3623,14 +3794,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "reseo2067.api.localdomain" + ], "related.ip": [ - "10.40.24.93", - "10.182.197.243" + "10.182.197.243", + "10.40.24.93" ], "related.user": [ - "orisnis", "exerci", - "mSecti" + "mSecti", + "orisnis" ], "rsa.counters.dclass_c1": 4129, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3682,14 +3856,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "itte6905.mail.invalid" + ], "related.ip": [ - "10.108.130.106", - "10.249.13.159" + "10.249.13.159", + "10.108.130.106" ], "related.user": [ "uisautei", - "colab", - "exeacomm" + "exeacomm", + "colab" ], "rsa.counters.dclass_c1": 1044, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3743,13 +3920,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "caboNemo274.www.host" + ], "related.ip": [ - "10.64.94.174", - "10.39.244.49" + "10.39.244.49", + "10.64.94.174" ], "related.user": [ - "Sedut", "iunt", + "Sedut", "estiae" ], "rsa.counters.event_counter": 7128, @@ -3863,14 +4043,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "qui5978.api.test" + ], "related.ip": [ - "10.134.135.22", - "10.115.203.143" + "10.115.203.143", + "10.134.135.22" ], "related.user": [ + "involu", "orpori", - "utoditau", - "involu" + "utoditau" ], "rsa.counters.dclass_c1": 7868, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3922,9 +4105,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "iamq2577.internal.corp" + ], "related.ip": [ - "10.251.212.166", - "10.43.244.252" + "10.43.244.252", + "10.251.212.166" ], "related.user": [ "uptat", @@ -4009,14 +4195,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "usB4127.localhost" + ], "related.ip": [ "10.88.189.164", "10.20.231.188" ], "related.user": [ - "mqu", "tesseq", - "uatDuisa" + "uatDuisa", + "mqu" ], "rsa.counters.dclass_c1": 1623, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4096,14 +4285,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "abor3266.mail.home" + ], "related.ip": [ - "10.231.77.26", - "10.225.11.197" + "10.225.11.197", + "10.231.77.26" ], "related.user": [ + "ineavol", "volu", - "rehe", - "ineavol" + "rehe" ], "rsa.counters.dclass_c1": 3064, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4153,14 +4345,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "eprehe2455.www.home" + ], "related.ip": [ - "10.106.166.105", - "10.148.3.197" + "10.148.3.197", + "10.106.166.105" ], "related.user": [ - "avolup", "olupt", - "usa" + "usa", + "avolup" ], "rsa.counters.dclass_c1": 2658, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4208,14 +4403,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "destla2110.www5.localdomain" + ], "related.ip": [ - "10.172.121.239", - "10.57.169.205" + "10.57.169.205", + "10.172.121.239" ], "related.user": [ - "ctas", + "ipsu", "iuta", - "ipsu" + "ctas" ], "rsa.counters.dclass_c1": 392, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4267,14 +4465,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "exerc3694.api.home" + ], "related.ip": [ - "10.42.218.103", - "10.129.234.200" + "10.129.234.200", + "10.42.218.103" ], "related.user": [ - "dquia", "tevelit", - "tisundeo" + "tisundeo", + "dquia" ], "rsa.counters.dclass_c1": 6709, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4326,14 +4527,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "ididu5928.www5.local" + ], "related.ip": [ - "10.111.132.221", - "10.76.121.224" + "10.76.121.224", + "10.111.132.221" ], "related.user": [ + "oloremi", "scive", - "ali", - "oloremi" + "ali" ], "rsa.counters.dclass_c1": 6155, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4385,9 +4589,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "boriosa7066.www.corp" + ], "related.ip": [ - "10.17.214.21", - "10.195.8.141" + "10.195.8.141", + "10.17.214.21" ], "related.user": [ "dolo", @@ -4444,14 +4651,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "ssusc1892.internal.host" + ], "related.ip": [ - "10.173.13.179", - "10.179.60.167" + "10.179.60.167", + "10.173.13.179" ], "related.user": [ - "isn", + "apar", "ptasn", - "apar" + "isn" ], "rsa.counters.dclass_c1": 758, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4503,9 +4713,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "iatisund424.mail.localdomain" + ], "related.ip": [ - "10.42.135.34", - "10.178.190.123" + "10.178.190.123", + "10.42.135.34" ], "related.user": [ "tiset", @@ -4590,14 +4803,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "uidolo7626.local" + ], "related.ip": [ - "10.8.147.176", - "10.207.198.239" + "10.207.198.239", + "10.8.147.176" ], "related.user": [ - "aUteni", "incididu", - "Loremips" + "Loremips", + "aUteni" ], "rsa.counters.dclass_c1": 3043, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4648,14 +4864,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "dmini3435.internal.domain" + ], "related.ip": [ - "10.206.221.180", - "10.116.26.185" + "10.116.26.185", + "10.206.221.180" ], "related.user": [ "oNe", - "nseq", - "litesseq" + "litesseq", + "nseq" ], "rsa.counters.dclass_c1": 3218, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4703,14 +4922,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "nibusBo1864.domain" + ], "related.ip": [ "10.253.127.130", "10.86.180.150" ], "related.user": [ "mnisis", - "etconsec", - "itasper" + "itasper", + "etconsec" ], "rsa.counters.dclass_c1": 4564, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4764,13 +4986,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "inv6528.www5.example" + ], "related.ip": [ - "10.158.161.5", - "10.220.175.201" + "10.220.175.201", + "10.158.161.5" ], "related.user": [ - "dolo", - "rrors" + "rrors", + "dolo" ], "rsa.counters.event_counter": 4098, "rsa.db.database": "tsed", @@ -4855,14 +5080,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "nisiutal4437.www.example" + ], "related.ip": [ "10.150.27.144", "10.248.16.82" ], "related.user": [ + "res", "ditautf", - "tuserror", - "res" + "tuserror" ], "rsa.counters.dclass_c1": 4367, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4914,13 +5142,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "tqui5172.www.local" + ], "related.ip": [ - "10.173.19.140", - "10.146.131.76" + "10.146.131.76", + "10.173.19.140" ], "related.user": [ - "olo", "orsi", + "olo", "Except" ], "rsa.counters.dclass_c1": 5844, @@ -4972,9 +5203,12 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "intocca6708.mail.corp" + ], "related.ip": [ - "10.69.5.227", - "10.171.175.165" + "10.171.175.165", + "10.69.5.227" ], "related.user": [ "rumw", @@ -5027,13 +5261,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "isetqu2843.www.invalid" + ], "related.ip": [ "10.213.214.118", "10.253.175.129" ], "related.user": [ - "ate", "nrep", + "ate", "epteurs" ], "rsa.counters.dclass_c1": 6260, @@ -5088,22 +5325,25 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "commodo6041.mail.localhost" + ], "related.ip": [ "10.149.91.130", "10.89.26.170" ], "related.user": [ + "atus", "aboris", - "orumetMa", - "atus" + "orumetMa" ], "rsa.counters.event_counter": 5863, "rsa.db.database": "inventor", "rsa.internal.event_desc": "loi", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "atcupi", - "block" + "block", + "atcupi" ], "rsa.misc.category": "tation", "rsa.misc.disposition": "seddoe", @@ -5154,14 +5394,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "gitse6744.api.local" + ], "related.ip": [ - "10.52.106.68", - "10.81.108.232" + "10.81.108.232", + "10.52.106.68" ], "related.user": [ + "uaturve", "neavolup", - "aco", - "uaturve" + "aco" ], "rsa.counters.event_counter": 5098, "rsa.db.database": "lapa", @@ -5221,14 +5464,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "par3605.internal.localdomain" + ], "related.ip": [ "10.230.48.97", "10.223.10.28" ], "related.user": [ - "usmodte", + "erit", "untex", - "erit" + "usmodte" ], "rsa.counters.event_counter": 4029, "rsa.db.database": "ommodi", @@ -5286,6 +5532,9 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "isau4356.www.home" + ], "related.ip": [ "10.115.42.231", "10.161.212.150" @@ -5347,13 +5596,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "labo3477.www5.domain" + ], "related.ip": [ "10.226.75.20", "10.247.108.144" ], "related.user": [ - "tema", "maccusan", + "tema", "fugia" ], "rsa.counters.event_counter": 3711, @@ -5411,14 +5663,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "itseddo2209.mail.domain" + ], "related.ip": [ "10.97.22.61", "10.192.15.65" ], "related.user": [ - "nimides", + "illumd", "rExcep", - "illumd" + "nimides" ], "rsa.counters.dclass_c1": 4173, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5468,13 +5723,16 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "duntutl3396.api.host" + ], "related.ip": [ "10.197.254.133", "10.116.76.161" ], "related.user": [ - "ide", "trudex", + "ide", "idu" ], "rsa.counters.event_counter": 2608, @@ -5482,8 +5740,8 @@ "rsa.internal.event_desc": "ritat", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "quid" + "quid", + "cancel" ], "rsa.misc.category": "dipi", "rsa.misc.disposition": "asnulapa", @@ -5532,14 +5790,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "colabo6686.internal.invalid" + ], "related.ip": [ "10.144.14.15", "10.28.77.79" ], "related.user": [ + "rspic", "upta", - "utlab", - "rspic" + "utlab" ], "rsa.counters.dclass_c1": 4810, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5590,14 +5851,17 @@ "observer.product": "Secure", "observer.type": "WAF", "observer.vendor": "Imperva", + "related.hosts": [ + "tsunti1164.www.example" + ], "related.ip": [ - "10.248.177.182", - "10.18.15.43" + "10.18.15.43", + "10.248.177.182" ], "related.user": [ - "quaturve", "quei", - "caecat" + "caecat", + "quaturve" ], "rsa.counters.dclass_c1": 983, "rsa.counters.dclass_c1_str": "Affected Rows", diff --git a/x-pack/filebeat/module/infoblox/nios/config/input.yml b/x-pack/filebeat/module/infoblox/nios/config/input.yml index 35ad775a3aa..b464486074b 100644 --- a/x-pack/filebeat/module/infoblox/nios/config/input.yml +++ b/x-pack/filebeat/module/infoblox/nios/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml b/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml index 3b42b82526b..517ff14bf4f 100644 --- a/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml +++ b/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml @@ -53,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null + - append: + field: related.hosts + value: '{{rsa.misc.event_source}}' + allow_duplicates: false + if: ctx?.rsa?.misc?.event_source != null on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json index 9552bff05b5..9d1e178db5a 100644 --- a/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json +++ b/x-pack/filebeat/module/infoblox/nios/test/generated.log-expected.json @@ -12,6 +12,9 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "observer.version": "1.5191", + "related.hosts": [ + "volup208.invalid" + ], "rsa.db.index": "mwritten", "rsa.internal.messageid": "openvpn-master", "rsa.misc.event_source": "volup208.invalid", @@ -38,6 +41,10 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "atio5608.www5.localhost", + "com1060.api.example" + ], "related.ip": [ "10.202.204.154" ], @@ -73,6 +80,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "ptass3168.www5.example" + ], "related.ip": [ "10.13.70.213" ], @@ -100,6 +110,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "mcolabor1656.www5.corp" + ], "rsa.internal.data": "veleumi", "rsa.internal.event_desc": "tia", "rsa.internal.messageid": "acpid", @@ -124,6 +137,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "Cice513.api.local" + ], "rsa.db.index": "occ", "rsa.internal.event_desc": "ect", "rsa.internal.messageid": "openvpn-member", @@ -148,6 +164,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "obeataev7086.mail.invalid" + ], "rsa.internal.event_desc": "natura", "rsa.internal.messageid": "speedstep_control", "rsa.misc.event_source": "obeataev7086.mail.invalid", @@ -170,6 +189,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "nibusBon7400.localhost" + ], "rsa.internal.messageid": "ErrorMsg", "rsa.misc.event_source": "nibusBon7400.localhost", "rsa.misc.result": "success", @@ -192,6 +214,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "iat1852.api.localdomain" + ], "rsa.internal.event_desc": "ntpd exiting", "rsa.internal.messageid": "ntpd_initres", "rsa.misc.event_source": "iat1852.api.localdomain", @@ -214,6 +239,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "mquisnos5771.example" + ], "related.ip": [ "10.104.111.129" ], @@ -244,6 +272,9 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "observer.version": "1.3162", + "related.hosts": [ + "ite996.host" + ], "rsa.email.email_src": "umdolore", "rsa.internal.data": "umdo", "rsa.internal.messageid": "kernel", @@ -268,6 +299,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "enim2780.www.lan" + ], "rsa.internal.data": "eriame", "rsa.internal.event_desc": "lorema", "rsa.internal.messageid": "rc6", @@ -292,6 +326,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "emporinc5075.internal.host" + ], "rsa.internal.data": "atcu", "rsa.internal.messageid": "watchdog", "rsa.misc.event_source": "emporinc5075.internal.host", @@ -315,6 +352,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "strude910.internal.local" + ], "rsa.internal.event_desc": "shutting down for system reboot", "rsa.internal.messageid": "shutdown", "rsa.misc.event_source": "strude910.internal.local", @@ -357,6 +397,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "itaut7095.invalid" + ], "rsa.internal.messageid": "rc", "rsa.misc.client": "ritatis", "rsa.misc.event_source": "itaut7095.invalid", @@ -379,6 +422,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "colabor1552.www5.local" + ], "rsa.internal.event_desc": "lorumw", "rsa.internal.messageid": "phonehome", "rsa.misc.event_source": "colabor1552.www5.local", @@ -401,6 +447,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "inima5444.www5.lan" + ], "rsa.internal.data": "nihi", "rsa.internal.event_desc": "Lor", "rsa.internal.messageid": "validate_dhcpd", @@ -424,6 +473,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "erc3217.internal.lan" + ], "rsa.internal.data": "olupt", "rsa.internal.event_desc": "modoco", "rsa.internal.messageid": "debug_mount", @@ -449,6 +501,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "uames499.internal.host" + ], "related.ip": [ "10.45.25.68" ], @@ -482,6 +537,9 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "observer.version": "1.2299", + "related.hosts": [ + "iineavo951.internal.test" + ], "rsa.internal.data": "intoccae", "rsa.internal.messageid": "rcsysinit", "rsa.misc.event_source": "iineavo951.internal.test", @@ -505,6 +563,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "Loremip6417.mail.test" + ], "rsa.db.index": "emoeni", "rsa.internal.event_desc": "oenimips", "rsa.internal.messageid": "syslog", @@ -528,6 +589,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "mnisist2347.mail.host" + ], "rsa.internal.data": "temveleu", "rsa.internal.event_desc": "Sent mail for colabo (eme)", "rsa.internal.messageid": "sSMTP", @@ -552,6 +616,9 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "observer.version": "1.2807", + "related.hosts": [ + "datatn5076.internal.example" + ], "rsa.internal.event_desc": "ihilm", "rsa.internal.messageid": "snmptrapd", "rsa.misc.event_source": "datatn5076.internal.example", @@ -575,6 +642,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "ercit2385.internal.home" + ], "rsa.internal.data": "run", "rsa.internal.event_desc": "building file list", "rsa.internal.messageid": "rsyncd", @@ -598,6 +668,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "quisnos4590.mail.domain" + ], "rsa.internal.event_desc": "eritqu", "rsa.internal.messageid": "httpd", "rsa.misc.event_source": "quisnos4590.mail.domain", @@ -620,6 +693,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "wri2784.api.domain" + ], "rsa.db.index": "hitect", "rsa.internal.event_desc": "dol", "rsa.internal.messageid": "restarting", @@ -643,6 +719,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "asun1250.api.localdomain" + ], "rsa.internal.data": "oluptate", "rsa.internal.event_desc": "onseq", "rsa.internal.messageid": "rc3", @@ -667,6 +746,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "intoc2428.domain" + ], "rsa.internal.data": "dantiumt", "rsa.internal.messageid": "scheduled_backups", "rsa.misc.device_name": "luptasn", @@ -690,6 +772,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "ento4488.www5.localhost" + ], "rsa.internal.event_desc": "amre", "rsa.internal.messageid": "rc6", "rsa.misc.event_source": "ento4488.www5.localhost", @@ -712,6 +797,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "boris5916.www5.example" + ], "rsa.internal.data": "uioffi", "rsa.internal.event_desc": "Distribution Complete", "rsa.internal.messageid": "controld", @@ -735,6 +823,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "temqu3331.api.host" + ], "rsa.internal.event_desc": "reseos", "rsa.internal.messageid": "phonehome", "rsa.misc.event_source": "temqu3331.api.host", @@ -782,6 +873,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "radi1512.mail.example" + ], "rsa.db.index": "ris", "rsa.internal.event_desc": "uamqu", "rsa.internal.messageid": "openvpn-member", @@ -806,6 +900,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "onsecte7184.mail.domain" + ], "rsa.internal.event_desc": "reme", "rsa.internal.messageid": "syslog-ng", "rsa.misc.event_source": "onsecte7184.mail.domain", @@ -828,6 +925,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "eveli265.www5.localdomain" + ], "rsa.db.index": "nse", "rsa.internal.messageid": "ipmievd", "rsa.misc.event_source": "eveli265.www5.localdomain", @@ -853,6 +953,10 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "uptatema6843.www.host", + "derit4688.mail.localhost" + ], "related.ip": [ "10.74.104.215" ], @@ -887,6 +991,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "evolup4403.local" + ], "rsa.internal.data": "smo", "rsa.internal.messageid": "INFOBLOX-Grid", "rsa.misc.event_source": "evolup4403.local", @@ -909,6 +1016,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "nonn839.api.corp" + ], "rsa.internal.event_desc": "temquiav", "rsa.internal.messageid": "smart_check_io", "rsa.misc.event_source": "nonn839.api.corp", @@ -931,6 +1041,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "adm7744.mail.domain" + ], "rsa.internal.event_desc": "isc", "rsa.internal.messageid": "rcsysinit", "rsa.misc.event_source": "adm7744.mail.domain", @@ -955,6 +1068,9 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "process.pid": 845, + "related.hosts": [ + "ios6980.example" + ], "rsa.internal.messageid": "watchdog", "rsa.misc.action": [ "deny" @@ -979,6 +1095,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "osquira6030.internal.corp" + ], "rsa.internal.data": "com", "rsa.internal.event_desc": "tnulapa", "rsa.internal.messageid": "diskcheck", @@ -1002,6 +1121,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "squirati63.mail.lan" + ], "rsa.internal.data": "nbyCic", "rsa.internal.event_desc": "utlabor", "rsa.internal.messageid": "watchdog", @@ -1025,6 +1147,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "lup2134.www.localhost" + ], "rsa.internal.data": "upida", "rsa.internal.messageid": "rc", "rsa.misc.client": "tvolupt", @@ -1048,6 +1173,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "umdo4017.www.local" + ], "rsa.internal.data": "ati", "rsa.internal.event_desc": "uine", "rsa.internal.messageid": "snmptrapd", @@ -1071,6 +1199,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "loreme853.www5.localdomain" + ], "rsa.internal.event_desc": "con", "rsa.internal.messageid": "snmptrapd", "rsa.misc.event_source": "loreme853.www5.localdomain", @@ -1094,6 +1225,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "orumSe728.internal.test" + ], "rsa.db.index": "evit", "rsa.internal.data": "itess", "rsa.internal.event_desc": "runtm", @@ -1119,6 +1253,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "oremi7400.www.local" + ], "rsa.internal.data": "ineavo", "rsa.internal.event_desc": "pexe", "rsa.internal.messageid": "acpid", @@ -1142,6 +1279,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "ess651.test" + ], "related.ip": [ "10.143.187.97" ], @@ -1171,6 +1311,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "epre6970.www.example" + ], "related.user": [ "temUt" ], @@ -1202,6 +1345,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "tali7803.www.localdomain" + ], "rsa.internal.event_desc": "ender", "rsa.internal.messageid": "httpd", "rsa.misc.event_source": "tali7803.www.localdomain", @@ -1225,6 +1371,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "uradi6198.test" + ], "rsa.internal.event_desc": "frequency initialized from file", "rsa.internal.messageid": "ntpd", "rsa.misc.event_source": "uradi6198.test", @@ -1248,6 +1397,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "umSe1918.local" + ], "rsa.counters.dclass_c1": 2836, "rsa.internal.event_desc": "ntpd exiting on signal", "rsa.internal.messageid": "ntpd", @@ -1271,6 +1423,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "odoconse228.mail.localdomain" + ], "rsa.internal.event_desc": "tenim", "rsa.internal.messageid": "syslog-ng", "rsa.misc.event_source": "odoconse228.mail.localdomain", @@ -1293,6 +1448,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "cteturad4074.mail.host" + ], "rsa.internal.event_desc": "tetu", "rsa.internal.messageid": "validate_dhcpd", "rsa.misc.event_source": "cteturad4074.mail.host", @@ -1315,6 +1473,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "itation6137.home" + ], "rsa.internal.event_desc": "sequat", "rsa.internal.messageid": "debug_mount", "rsa.misc.event_source": "itation6137.home", @@ -1359,6 +1520,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "dun1276.api.localdomain" + ], "rsa.internal.event_desc": "time slew duraion", "rsa.internal.messageid": "ntpd", "rsa.misc.event_source": "dun1276.api.localdomain", @@ -1382,6 +1546,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "iquidexe304.mail.test" + ], "rsa.internal.event_desc": "oreetd", "rsa.internal.messageid": "smart_check_io", "rsa.misc.event_source": "iquidexe304.mail.test", @@ -1405,6 +1572,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "preh2690.api.localdomain" + ], "rsa.internal.data": "mac", "rsa.internal.event_desc": "qui", "rsa.internal.messageid": "captured_dns_uploader", @@ -1430,6 +1600,9 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "observer.version": "1.7214", + "related.hosts": [ + "rem3032.mail.domain" + ], "rsa.email.email_src": "ica", "rsa.internal.messageid": "kernel", "rsa.misc.event_source": "rem3032.mail.domain", @@ -1455,6 +1628,9 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "observer.version": "1.7727", + "related.hosts": [ + "tetur2694.mail.local" + ], "rsa.db.index": "itinv", "rsa.internal.messageid": "openvpn-member", "rsa.misc.event_source": "tetur2694.mail.local", @@ -1478,6 +1654,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "utaliqu6138.mail.localhost" + ], "rsa.internal.event_desc": "can't read sid", "rsa.internal.messageid": "pidof", "rsa.misc.client": "oremi", @@ -1501,6 +1680,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "tame4953.mail.localhost" + ], "rsa.db.index": "prehen", "rsa.internal.event_desc": "ntutlabo", "rsa.internal.messageid": "restarting", @@ -1525,6 +1707,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "loi7596.www5.home" + ], "rsa.internal.data": "deserun", "rsa.internal.messageid": "scheduled_backups", "rsa.misc.device_name": "esseq", @@ -1548,6 +1733,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "mmodoc4947.internal.test" + ], "rsa.internal.data": "atu", "rsa.internal.messageid": "ErrorMsg", "rsa.misc.event_source": "mmodoc4947.internal.test", @@ -1571,6 +1759,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "olorem2760.www5.test" + ], "rsa.internal.event_desc": "ntpd exiting", "rsa.internal.messageid": "ntpd_initres", "rsa.misc.event_source": "olorem2760.www5.test", @@ -1593,6 +1784,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "dol3346.www.lan" + ], "rsa.internal.data": "olorese", "rsa.internal.event_desc": "Scheduled backup to the FTP server failed", "rsa.internal.messageid": "scheduled_ftp_backups", @@ -1619,6 +1813,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "ercit6496.api.local" + ], "rsa.internal.event_desc": "Scheduled backup to the SCP server was successful", "rsa.internal.messageid": "scheduled_scp_backups", "rsa.misc.device_name": "midestl", @@ -1662,6 +1859,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "col3570.www.invalid" + ], "rsa.email.email_dst": "tsed", "rsa.internal.messageid": "sSMTP", "rsa.misc.event_source": "col3570.www.invalid", @@ -1685,6 +1885,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "mipsamvo4282.api.home" + ], "rsa.internal.event_desc": "oreveri", "rsa.internal.messageid": "init", "rsa.misc.event_source": "mipsamvo4282.api.home", @@ -1707,6 +1910,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "umq1309.api.test" + ], "rsa.internal.event_desc": "mve", "rsa.internal.messageid": "debug", "rsa.misc.event_source": "umq1309.api.test", @@ -1729,6 +1935,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "ugit5828.www5.test" + ], "rsa.internal.data": "asnu", "rsa.internal.messageid": "rc", "rsa.misc.client": "hitec", @@ -1772,6 +1981,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "archite1843.mail.home" + ], "rsa.internal.event_desc": "uta", "rsa.internal.messageid": "radiusd", "rsa.misc.event_source": "archite1843.mail.home", @@ -1794,6 +2006,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "derit5270.mail.local" + ], "rsa.internal.event_desc": "ntexpl", "rsa.internal.messageid": "rcsysinit", "rsa.misc.event_source": "derit5270.mail.local", @@ -1816,6 +2031,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "itanim4024.api.example" + ], "related.ip": [ "10.156.34.19" ], @@ -1873,6 +2091,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "ataevi1984.internal.host" + ], "related.ip": [ "10.17.87.79" ], @@ -1900,6 +2121,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "tionula1586.host" + ], "rsa.internal.data": "idolor", "rsa.internal.event_desc": "ntpd exiting", "rsa.internal.messageid": "ntpd_initres", @@ -1923,6 +2147,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "llam1884.www.corp" + ], "rsa.internal.event_desc": "time slew duraion", "rsa.internal.messageid": "ntpd", "rsa.misc.event_source": "llam1884.www.corp", @@ -1946,6 +2173,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "ore5643.api.lan" + ], "rsa.internal.data": "edolorin", "rsa.internal.event_desc": "dolorem", "rsa.internal.messageid": "acpid", @@ -1969,6 +2199,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "exeacomm79.api.corp" + ], "rsa.internal.data": "mides", "rsa.internal.event_desc": "ciun", "rsa.internal.messageid": "rc3", @@ -1993,6 +2226,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "lorsita6602.mail.local" + ], "rsa.internal.messageid": "watchdog", "rsa.misc.event_source": "lorsita6602.mail.local", "rsa.misc.result_code": "npr", @@ -2015,6 +2251,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "ratv2649.www.host" + ], "rsa.internal.data": "tali", "rsa.internal.event_desc": "BCS", "rsa.internal.messageid": "speedstep_control", @@ -2038,6 +2277,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "abor4353.www5.host" + ], "rsa.internal.event_desc": "tesseq", "rsa.internal.messageid": "python", "rsa.misc.event_source": "abor4353.www5.host", @@ -2062,6 +2304,9 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "observer.version": "1.388", + "related.hosts": [ + "rerepre6748.internal.domain" + ], "rsa.db.index": "sinto", "rsa.internal.data": "tdolore", "rsa.internal.messageid": "openvpn-member", @@ -2086,6 +2331,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "qui3176.internal.example" + ], "rsa.internal.messageid": "rc", "rsa.misc.client": "amvolu", "rsa.misc.event_source": "qui3176.internal.example", @@ -2109,6 +2357,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "der7349.invalid" + ], "rsa.internal.event_desc": "eiusmod", "rsa.internal.messageid": "monitor", "rsa.misc.event_source": "der7349.invalid", @@ -2132,6 +2383,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "veleum3833.internal.test" + ], "rsa.internal.event_desc": "iusmodt", "rsa.internal.messageid": "diskcheck", "rsa.misc.event_source": "veleum3833.internal.test", @@ -2154,6 +2408,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "aquio6685.internal.test" + ], "rsa.internal.data": "aquio", "rsa.internal.event_desc": "riatu", "rsa.internal.messageid": "rc6", @@ -2177,6 +2434,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "tanimid4871.internal.domain" + ], "rsa.internal.data": "abor", "rsa.internal.event_desc": "nBCSe", "rsa.internal.messageid": "debug", @@ -2200,6 +2460,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "icta82.internal.lan" + ], "rsa.internal.data": "uei", "rsa.internal.event_desc": "can't read sid", "rsa.internal.messageid": "pidof", @@ -2224,6 +2487,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "dol6197.mail.localdomain" + ], "rsa.internal.data": "inBCSe", "rsa.internal.event_desc": "otamrem", "rsa.internal.messageid": "speedstep_control", @@ -2247,6 +2513,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "lumqu617.www.test" + ], "rsa.internal.event_desc": "time slew duraion", "rsa.internal.messageid": "ntpd", "rsa.misc.event_source": "lumqu617.www.test", @@ -2270,6 +2539,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "uido492.www5.home" + ], "rsa.internal.data": "uid", "rsa.internal.messageid": "pidof", "rsa.misc.client": "snostrum", @@ -2294,6 +2566,9 @@ "observer.type": "IPAM", "observer.vendor": "Infoblox", "observer.version": "1.6198", + "related.hosts": [ + "reseosqu1629.mail.lan" + ], "rsa.internal.event_desc": "ommo", "rsa.internal.messageid": "snmptrapd", "rsa.misc.event_source": "reseosqu1629.mail.lan", @@ -2317,6 +2592,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "itseddoe5595.internal.localhost" + ], "rsa.internal.data": "ehende", "rsa.internal.event_desc": "tutla", "rsa.internal.messageid": "smart_check_io", @@ -2340,6 +2618,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "olu5333.www.domain" + ], "rsa.internal.event_desc": "dolor", "rsa.internal.messageid": "diskcheck", "rsa.misc.event_source": "olu5333.www.domain", @@ -2362,6 +2643,9 @@ "observer.product": "Network", "observer.type": "IPAM", "observer.vendor": "Infoblox", + "related.hosts": [ + "dtemp1362.internal.example" + ], "rsa.internal.event_desc": "itae", "rsa.internal.messageid": "init", "rsa.misc.event_source": "dtemp1362.internal.example", diff --git a/x-pack/filebeat/module/juniper/junos/config/input.yml b/x-pack/filebeat/module/juniper/junos/config/input.yml index 95d8bf8a477..ac3e93cc485 100644 --- a/x-pack/filebeat/module/juniper/junos/config/input.yml +++ b/x-pack/filebeat/module/juniper/junos/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml b/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml index afa4b02bec4..a2a37344dfd 100644 --- a/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml @@ -53,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.hostname}}' + allow_duplicates: false + if: ctx?.host?.hostname + - append: + field: related.hosts + value: '{{server.domain}}' + allow_duplicates: false + if: ctx?.server?.domain on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/juniper/netscreen/config/input.yml b/x-pack/filebeat/module/juniper/netscreen/config/input.yml index 9b4a5566a9b..0fde2181329 100644 --- a/x-pack/filebeat/module/juniper/netscreen/config/input.yml +++ b/x-pack/filebeat/module/juniper/netscreen/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/microsoft/dhcp/config/input.yml b/x-pack/filebeat/module/microsoft/dhcp/config/input.yml index e8e683f9022..83985fba51d 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/config/input.yml +++ b/x-pack/filebeat/module/microsoft/dhcp/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml b/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml index 7c917d05c81..31ab37d66c2 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml @@ -53,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.hostname}}' + allow_duplicates: false + if: ctx?.host?.hostname != null + - append: + field: related.hosts + value: '{{source.address}}' + allow_duplicates: false + if: ctx?.source?.address != null on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json index a350394d3bd..48ad613503d 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json +++ b/x-pack/filebeat/module/microsoft/dhcp/test/generated.log-expected.json @@ -12,6 +12,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ciade5699.domain" + ], "related.ip": [ "10.124.22.221" ], @@ -41,6 +44,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "orev6153.internal.domain" + ], "related.ip": [ "10.103.162.55" ], @@ -70,6 +76,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "uatDuis2964.test" + ], "related.ip": [ "10.58.0.245" ], @@ -99,6 +108,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "untNequ5075.www5.domain" + ], "related.ip": [ "10.163.217.10" ], @@ -130,6 +142,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "idexea3181.www.local" + ], "related.ip": [ "10.111.27.193" ], @@ -159,6 +174,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "etM953.api.domain" + ], "related.ip": [ "10.97.38.141" ], @@ -188,6 +206,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "inv5716.mail.invalid" + ], "related.ip": [ "10.17.21.125" ], @@ -217,6 +238,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "uines6355.internal.localdomain" + ], "related.ip": [ "10.73.69.75" ], @@ -246,6 +270,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "rehender4535.www5.test" + ], "related.ip": [ "10.45.25.68" ], @@ -275,6 +302,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "mporain2624.www.localhost" + ], "related.ip": [ "10.68.93.6" ], @@ -304,6 +334,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "tutla2716.www.domain" + ], "related.ip": [ "10.192.110.182" ], @@ -333,6 +366,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "conseq557.mail.lan" + ], "related.ip": [ "10.148.153.201" ], @@ -362,6 +398,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "etconse7424.internal.lan" + ], "related.ip": [ "10.213.147.241" ], @@ -391,6 +430,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "tMalor7410.www.localhost" + ], "related.ip": [ "10.183.233.5" ], @@ -422,6 +464,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "equat2243.www5.localdomain" + ], "related.ip": [ "10.52.186.29" ], @@ -451,6 +496,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ectio2175.www.localhost" + ], "related.ip": [ "10.194.114.58" ], @@ -480,6 +528,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "liqui6106.internal.home" + ], "related.ip": [ "10.212.42.224" ], @@ -509,6 +560,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "eratv6205.internal.lan" + ], "related.ip": [ "10.244.144.198" ], @@ -540,6 +594,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "piscin6866.internal.host" + ], "related.ip": [ "10.90.86.89" ], @@ -569,6 +626,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "riosamn7650.api.test" + ], "related.ip": [ "10.158.237.92" ], @@ -601,6 +661,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "aper5651.test" + ], "related.ip": [ "10.20.147.134" ], @@ -633,6 +696,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "inventor6088.www.invalid" + ], "related.ip": [ "10.213.145.202" ], @@ -662,6 +728,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "cipitlab6201.www5.example" + ], "related.ip": [ "10.76.10.73" ], @@ -691,6 +760,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "Nemoenim2039.api.localhost" + ], "related.ip": [ "10.226.199.190" ], @@ -721,6 +793,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "iquipe2458.api.host" + ], "related.ip": [ "10.20.129.206" ], @@ -750,6 +825,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "intoc1426.mail.lan" + ], "related.ip": [ "10.22.110.210" ], @@ -779,6 +857,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "rsitvolu3751.mail.lan" + ], "related.ip": [ "10.218.87.174" ], @@ -808,6 +889,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "tqu4367.www5.localhost" + ], "related.ip": [ "10.140.113.244" ], @@ -837,6 +921,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "inci5738.www5.invalid" + ], "related.ip": [ "10.159.181.29" ], @@ -866,6 +953,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "itecto1300.internal.corp" + ], "related.ip": [ "10.178.173.128" ], @@ -895,6 +985,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "siut1579.www.domain" + ], "related.ip": [ "10.217.38.30" ], @@ -924,6 +1017,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ame6223.www5.localhost" + ], "related.ip": [ "10.178.49.161" ], @@ -953,6 +1049,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "aturve1647.mail.localhost" + ], "related.ip": [ "10.175.103.215" ], @@ -982,6 +1081,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "aco6894.mail.home" + ], "related.ip": [ "10.192.21.74" ], @@ -1013,6 +1115,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "tetu2485.internal.invalid" + ], "related.ip": [ "10.142.25.100" ], @@ -1043,6 +1148,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "doloreme60.www5.localhost" + ], "related.ip": [ "10.162.114.217" ], @@ -1074,6 +1182,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "luptat7214.domain" + ], "related.ip": [ "10.0.132.176" ], @@ -1104,6 +1215,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "amcor5091.internal.corp" + ], "related.ip": [ "10.22.187.69" ], @@ -1135,6 +1249,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ncidid5410.internal.domain" + ], "related.ip": [ "10.2.128.234" ], @@ -1165,6 +1282,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "nofd988.api.example" + ], "related.ip": [ "10.223.160.140" ], @@ -1197,6 +1317,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "borisnis6159.www5.localdomain" + ], "related.ip": [ "10.137.14.180" ], @@ -1226,6 +1349,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "dminima4348.mail.home" + ], "related.ip": [ "10.192.182.230" ], @@ -1256,6 +1382,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "oluptas6981.www5.localhost" + ], "related.ip": [ "10.95.241.28" ], @@ -1288,6 +1417,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "equ4808.www.localhost" + ], "related.ip": [ "10.74.240.121" ], @@ -1320,6 +1452,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "nsec923.internal.local" + ], "related.ip": [ "10.139.127.232" ], @@ -1351,6 +1486,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "emoe4059.api.localdomain" + ], "related.ip": [ "10.170.6.54" ], @@ -1380,6 +1518,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "equun6662.home" + ], "related.ip": [ "10.46.115.216" ], @@ -1409,6 +1550,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "dtempori5735.www5.local" + ], "related.ip": [ "10.226.5.189" ], @@ -1438,6 +1582,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "cupi7581.internal.local" + ], "related.ip": [ "10.0.20.5" ], @@ -1468,6 +1615,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "quasiar5281.mail.invalid" + ], "related.ip": [ "10.180.101.232" ], @@ -1500,6 +1650,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "tionula1586.host" + ], "related.ip": [ "10.141.158.225" ], @@ -1529,6 +1682,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ore5643.api.lan" + ], "related.ip": [ "10.94.88.5" ], @@ -1559,6 +1715,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ciun39.localdomain" + ], "related.ip": [ "10.155.18.139" ], @@ -1591,6 +1750,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "iutali7297.www.domain" + ], "related.ip": [ "10.85.48.117" ], @@ -1620,6 +1782,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "docon5398.mail.host" + ], "related.ip": [ "10.224.146.6" ], @@ -1649,6 +1814,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "destlabo7803.mail.localhost" + ], "related.ip": [ "10.182.152.242" ], @@ -1678,6 +1846,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "fugits1163.host" + ], "related.ip": [ "10.225.157.110" ], @@ -1707,6 +1878,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "adol170.internal.example" + ], "related.ip": [ "10.236.185.102" ], @@ -1736,6 +1910,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "red5516.localhost" + ], "related.ip": [ "10.146.72.62" ], @@ -1767,6 +1944,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "qui3176.internal.example" + ], "related.ip": [ "10.221.7.206" ], @@ -1796,6 +1976,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "luptat2979.internal.local" + ], "related.ip": [ "10.196.35.130" ], @@ -1825,6 +2008,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "prehe1037.api.example" + ], "related.ip": [ "10.182.219.241" ], @@ -1854,6 +2040,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "abor1370.www.domain" + ], "related.ip": [ "10.101.163.40" ], @@ -1883,6 +2072,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "atDuis5759.internal.test" + ], "related.ip": [ "10.141.39.190" ], @@ -1912,6 +2104,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ict2699.internal.localhost" + ], "related.ip": [ "10.41.89.217" ], @@ -1941,6 +2136,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "cive2292.api.local" + ], "related.ip": [ "10.86.44.130" ], @@ -1971,6 +2169,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "aconsequ2331.www5.localhost" + ], "related.ip": [ "10.209.71.69" ], @@ -2004,6 +2205,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "rsitvolu3596.www.test" + ], "related.ip": [ "10.48.104.137" ], @@ -2036,6 +2240,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "elites6366.mail.lan" + ], "related.ip": [ "10.225.255.211" ], @@ -2068,6 +2275,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "orumSe4514.www.corp" + ], "related.ip": [ "10.137.103.62" ], @@ -2097,6 +2307,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "fdeFi6975.www5.local" + ], "related.ip": [ "10.156.88.51" ], @@ -2126,6 +2339,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "dol3000.www5.local" + ], "related.ip": [ "10.7.99.47" ], @@ -2155,6 +2371,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "umd5182.mail.host" + ], "related.ip": [ "10.243.252.157" ], @@ -2186,6 +2405,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "expl2616.www.test" + ], "related.ip": [ "10.95.73.196" ], @@ -2215,6 +2437,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "risni1535.example" + ], "related.ip": [ "10.145.104.170" ], @@ -2244,6 +2469,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "umtotamr7221.mail.host" + ], "related.ip": [ "10.18.152.236" ], @@ -2273,6 +2501,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "teir7585.www5.localdomain" + ], "related.ip": [ "10.15.240.220" ], @@ -2302,6 +2533,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "tur4536.localdomain" + ], "related.ip": [ "10.147.130.71" ], @@ -2331,6 +2565,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ffic6926.home" + ], "related.ip": [ "10.203.146.137" ], @@ -2360,6 +2597,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ate4386.api.localhost" + ], "related.ip": [ "10.5.98.182" ], @@ -2389,6 +2629,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "iameaque5093.api.corp" + ], "related.ip": [ "10.6.180.90" ], @@ -2418,6 +2661,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "tatisetq3237.www5.corp" + ], "related.ip": [ "10.111.93.224" ], @@ -2447,6 +2693,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "rvelill32.internal.corp" + ], "related.ip": [ "10.196.157.28" ], @@ -2476,6 +2725,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ectetura2657.www.localdomain" + ], "related.ip": [ "10.143.0.78" ], @@ -2505,6 +2757,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ico3220.api.test" + ], "related.ip": [ "10.184.187.32" ], @@ -2534,6 +2789,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "Duisa7769.test" + ], "related.ip": [ "10.30.87.51" ], @@ -2563,6 +2821,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ptatev6552.www.test" + ], "related.ip": [ "10.180.62.222" ], @@ -2593,6 +2854,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "olore6487.www5.local" + ], "related.ip": [ "10.198.9.209" ], @@ -2625,6 +2889,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "nvol548.corp" + ], "related.ip": [ "10.41.217.115" ], @@ -2656,6 +2923,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "pteursi466.www.localdomain" + ], "related.ip": [ "10.212.196.228" ], @@ -2685,6 +2955,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "olupt1936.host" + ], "related.ip": [ "10.166.180.119" ], @@ -2714,6 +2987,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "uisaut2157.corp" + ], "related.ip": [ "10.7.142.212" ], @@ -2744,6 +3020,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "ecte882.www5.host" + ], "related.ip": [ "10.209.237.97" ], @@ -2776,6 +3055,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "doloreeu4417.example" + ], "related.ip": [ "10.61.26.207" ], @@ -2806,6 +3088,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "tper4341.lan" + ], "related.ip": [ "10.139.88.194" ], @@ -2837,6 +3122,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "nimve4965.mail.corp" + ], "related.ip": [ "10.86.134.125" ], @@ -2866,6 +3154,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "mquisno5146.home" + ], "related.ip": [ "10.41.78.169" ], @@ -2895,6 +3186,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "imaveni4500.api.localdomain" + ], "related.ip": [ "10.69.181.95" ], @@ -2925,6 +3219,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "veleu2874.www5.localhost" + ], "related.ip": [ "10.222.6.52" ], @@ -2956,6 +3253,9 @@ "observer.product": "DHCP", "observer.type": "Application", "observer.vendor": "Microsoft", + "related.hosts": [ + "nemul5083.api.localdomain" + ], "related.ip": [ "10.218.41.80" ], diff --git a/x-pack/filebeat/module/netscout/sightline/config/input.yml b/x-pack/filebeat/module/netscout/sightline/config/input.yml index ec1e377e5cd..dbbca93154b 100644 --- a/x-pack/filebeat/module/netscout/sightline/config/input.yml +++ b/x-pack/filebeat/module/netscout/sightline/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml b/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml index 0598b8e63d1..05fe8a00db0 100644 --- a/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml +++ b/x-pack/filebeat/module/proofpoint/emailsecurity/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml b/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml index 5618f330e7c..5aa08a193e8 100644 --- a/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml +++ b/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml @@ -53,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null + - append: + field: related.hosts + value: '{{destination.address}}' + allow_duplicates: false + if: ctx?.destination?.address != null on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log-expected.json b/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log-expected.json index ea2fb8b7304..f9043afa34a 100644 --- a/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log-expected.json +++ b/x-pack/filebeat/module/proofpoint/emailsecurity/test/generated.log-expected.json @@ -89,6 +89,9 @@ "observer.type": "Firewall", "observer.vendor": "Proofpoint", "process.pid": 3391, + "related.hosts": [ + "tenbyCic5882.api.home" + ], "related.ip": [ "10.69.20.77" ], @@ -247,6 +250,9 @@ "observer.type": "Firewall", "observer.vendor": "Proofpoint", "process.pid": 7183, + "related.hosts": [ + "ommod3671.mail.domain" + ], "rsa.email.email_src": "dexeaco", "rsa.internal.messageid": "queued-reinject", "rsa.misc.client": "emaperi", @@ -477,6 +483,9 @@ "observer.type": "Firewall", "observer.vendor": "Proofpoint", "process.pid": 4499, + "related.hosts": [ + "ersp3536.www5.lan" + ], "rsa.db.index": "mod", "rsa.email.email_dst": "fugiatn", "rsa.internal.messageid": "queued-aglife", @@ -666,6 +675,9 @@ "observer.type": "Firewall", "observer.vendor": "Proofpoint", "process.pid": 3866, + "related.hosts": [ + "sit6590.lan" + ], "related.ip": [ "10.123.143.188" ], @@ -1256,6 +1268,9 @@ "observer.product": "Email", "observer.type": "Firewall", "observer.vendor": "Proofpoint", + "related.hosts": [ + "lors7553.api.local" + ], "rsa.internal.messageid": "dkimv_run", "rsa.misc.client": "uido", "rsa.misc.log_session_id": "tiaecon", @@ -1473,6 +1488,9 @@ "observer.type": "Firewall", "observer.vendor": "Proofpoint", "process.pid": 2861, + "related.hosts": [ + "str4641.domain" + ], "related.ip": [ "10.151.31.58" ], @@ -2407,6 +2425,9 @@ "observer.type": "Firewall", "observer.vendor": "Proofpoint", "process.pid": 3274, + "related.hosts": [ + "Sedutper7794.www5.domain" + ], "related.ip": [ "10.154.22.241" ], @@ -2533,6 +2554,9 @@ "observer.type": "Firewall", "observer.vendor": "Proofpoint", "process.pid": 4250, + "related.hosts": [ + "estla4081.corp" + ], "rsa.internal.messageid": "queued-default", "rsa.misc.client": "queued-default", "rsa.network.host_dst": "estla4081.corp", diff --git a/x-pack/filebeat/module/radware/defensepro/config/input.yml b/x-pack/filebeat/module/radware/defensepro/config/input.yml index 24f226db8f3..e978b023425 100644 --- a/x-pack/filebeat/module/radware/defensepro/config/input.yml +++ b/x-pack/filebeat/module/radware/defensepro/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/snort/log/config/input.yml b/x-pack/filebeat/module/snort/log/config/input.yml index cd99c6e04da..f36e381ab96 100644 --- a/x-pack/filebeat/module/snort/log/config/input.yml +++ b/x-pack/filebeat/module/snort/log/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/snort/log/ingest/pipeline.yml b/x-pack/filebeat/module/snort/log/ingest/pipeline.yml index 0db6047881b..10e5acc9c15 100644 --- a/x-pack/filebeat/module/snort/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/snort/log/ingest/pipeline.yml @@ -53,6 +53,11 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json index bbb36b77dfa..f0150dcb87f 100644 --- a/x-pack/filebeat/module/snort/log/test/generated.log-expected.json +++ b/x-pack/filebeat/module/snort/log/test/generated.log-expected.json @@ -12,6 +12,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "quid2184.invalid" + ], "related.ip": [ "10.202.72.124" ], @@ -54,9 +57,12 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "uptatev4292.www.invalid" + ], "related.ip": [ - "10.38.77.13", - "10.212.11.114" + "10.212.11.114", + "10.38.77.13" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "uam", @@ -100,6 +106,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "tlabo6088.www.localdomain" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "itecto", "rsa.misc.result": "failure", @@ -127,6 +136,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "eporroqu4200.domain" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "suntinc", "rsa.misc.result": "success", @@ -153,6 +165,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "conseq557.mail.lan" + ], "related.user": [ "aaliquaU" ], @@ -193,6 +208,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "itame189.domain" + ], "related.ip": [ "10.24.67.250", "10.182.199.231" @@ -238,6 +256,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "vitaedi1318.corp" + ], "related.user": [ "temqu" ], @@ -268,6 +289,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "itatione1916.www.host" + ], "related.user": [ "oluptate" ], @@ -306,9 +330,12 @@ "observer.type": "IDS", "observer.vendor": "Snort", "observer.version": "1.4418", + "related.hosts": [ + "its7829.localhost" + ], "related.ip": [ - "10.110.31.190", - "10.157.18.252" + "10.157.18.252", + "10.110.31.190" ], "rsa.crypto.sig_type": "rQu", "rsa.internal.messageid": "5979", @@ -351,6 +378,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "aec3673.internal.host" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "niamq", "rsa.misc.result": "failure", @@ -378,6 +408,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "inibu2292.www.invalid" + ], "related.user": [ "isetquas" ], @@ -412,6 +445,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "ori1241.www.corp" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "ercit", "rsa.misc.result": "failure", @@ -438,6 +474,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "ueipsa748.localdomain" + ], "related.user": [ "aparia" ], @@ -470,6 +509,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "oluptat548.www5.invalid" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "dolorem", "rsa.misc.result": "failure", @@ -496,6 +538,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "loremag6816.www5.lan" + ], "related.user": [ "inrepreh" ], @@ -528,6 +573,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "tionemu5269.internal.localhost" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "occaec", "rsa.misc.result": "failure", @@ -554,6 +602,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "onulamco7734.www.local" + ], "related.user": [ "uptat" ], @@ -586,6 +637,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "luptatem3834.lan" + ], "rsa.counters.dclass_c1_str": " The number of intrusion events", "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "tise", @@ -618,6 +672,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "exercita2068.api.invalid" + ], "related.ip": [ "10.169.84.140" ], @@ -651,6 +708,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "orumS757.www5.corp" + ], "related.ip": [ "10.130.231.129" ], @@ -685,6 +745,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "sedquian4212.www5.domain" + ], "rsa.counters.dclass_c1_str": " The number of intrusion events", "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "eca", @@ -718,6 +781,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "oinBCSed3444.api.local" + ], "related.user": [ "smodtem" ], @@ -756,6 +822,9 @@ "observer.type": "IDS", "observer.vendor": "Snort", "observer.version": "1.6724", + "related.hosts": [ + "apari5002.api.test" + ], "related.ip": [ "10.9.200.197", "10.182.213.195" @@ -810,9 +879,12 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "tper4341.lan" + ], "related.ip": [ - "10.210.180.142", - "10.111.33.70" + "10.111.33.70", + "10.210.180.142" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "animi", @@ -856,6 +928,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "antiu3533.internal.domain" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "lapari", "rsa.misc.result": "success", @@ -884,9 +959,12 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "cidu921.internal.lan" + ], "related.ip": [ - "10.165.33.19", - "10.222.183.123" + "10.222.183.123", + "10.165.33.19" ], "rsa.internal.messageid": "MALWARE", "rsa.misc.checksum": "usan", @@ -924,6 +1002,9 @@ "observer.type": "IDS", "observer.vendor": "Snort", "observer.version": "1.890", + "related.hosts": [ + "unturmag6190.api.lan" + ], "related.ip": [ "10.52.190.18", "10.238.223.171" @@ -974,9 +1055,12 @@ "observer.type": "IDS", "observer.vendor": "Snort", "observer.version": "1.3902", + "related.hosts": [ + "conseq6079.www.corp" + ], "related.ip": [ - "10.160.178.109", - "10.68.233.163" + "10.68.233.163", + "10.160.178.109" ], "rsa.crypto.sig_type": "ctobeat", "rsa.internal.messageid": "26992", @@ -1018,6 +1102,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "tvol3402.www.local" + ], "related.ip": [ "10.162.109.83" ], @@ -1050,6 +1137,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "xcep3783.internal.localhost" + ], "related.user": [ "serro" ], @@ -1081,6 +1171,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "ciatisun7378.www5.invalid" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "riaturEx", "rsa.misc.result": "unknown", @@ -1112,6 +1205,9 @@ "observer.type": "IDS", "observer.vendor": "Snort", "observer.version": "1.6627", + "related.hosts": [ + "iqu4858.mail.invalid" + ], "related.ip": [ "10.213.100.153", "10.116.175.84" @@ -1156,6 +1252,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "ionu3320.api.localhost" + ], "related.user": [ "estq" ], @@ -1186,6 +1285,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "ollitan5079.www.lan" + ], "related.user": [ "deriti" ], @@ -1218,6 +1320,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "nihilmol1849.api.local" + ], "rsa.counters.dclass_c1_str": "Number of Files", "rsa.internal.messageid": "connection_events", "rsa.misc.action": [ @@ -1247,6 +1352,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "ota4562.local" + ], "related.user": [ "epteurs" ], @@ -1278,6 +1386,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "gnama5033.www5.home" + ], "related.user": [ "ction" ], @@ -1309,6 +1420,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "sum6106.www.home" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "doe", "rsa.misc.result": "failure", @@ -1335,6 +1449,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "squa2763.www.lan" + ], "related.user": [ "trude" ], @@ -1375,9 +1492,12 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "stiae3403.internal.localhost" + ], "related.ip": [ - "10.240.144.78", - "10.251.159.118" + "10.251.159.118", + "10.240.144.78" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "ostrudex", @@ -1421,6 +1541,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "setq5996.corp" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "odi", "rsa.misc.result": "success", @@ -1448,6 +1571,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "quiano3025.api.localhost" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "sequatD", "rsa.misc.result": "unknown", @@ -1475,6 +1601,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "qui7797.www.host" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "umet", "rsa.misc.result": "failure", @@ -1510,9 +1639,12 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "urau1660.www.lan" + ], "related.ip": [ - "10.140.209.249", - "10.201.132.114" + "10.201.132.114", + "10.140.209.249" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "lor", @@ -1555,6 +1687,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "edutpers3482.www5.corp" + ], "related.user": [ "mnisis" ], @@ -1592,9 +1727,12 @@ "observer.type": "IDS", "observer.vendor": "Snort", "observer.version": "1.2633", + "related.hosts": [ + "nofde7732.internal.test" + ], "related.ip": [ - "10.36.122.169", - "10.198.44.231" + "10.198.44.231", + "10.36.122.169" ], "rsa.crypto.sig_type": "umquam", "rsa.internal.messageid": "13228", @@ -1644,6 +1782,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "evita850.localdomain" + ], "related.ip": [ "10.77.86.215", "10.144.162.122" @@ -1689,6 +1830,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "aturau3002.api.corp" + ], "related.user": [ "sci" ], @@ -1720,6 +1864,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "ntiumt238.internal.corp" + ], "rsa.counters.dclass_c1_str": " The number of intrusion events", "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "odite", @@ -1753,6 +1900,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "atu2951.test" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "pitlab", "rsa.misc.result": "success", @@ -1779,6 +1929,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "uipe5295.api.localhost" + ], "related.user": [ "mwrit" ], @@ -1810,6 +1963,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "tatiset5041.www5.local" + ], "rsa.counters.dclass_c1_str": " The number of intrusion events", "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "Utenim", @@ -1842,6 +1998,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "esse2198.mail.example" + ], "related.user": [ "uaturvel" ], @@ -1873,6 +2032,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "pitlab5165.localdomain" + ], "related.ip": [ "10.17.172.91" ], @@ -1906,6 +2068,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "uinesci6041.api.local" + ], "related.user": [ "pers" ], @@ -1944,9 +2109,12 @@ "observer.type": "IDS", "observer.vendor": "Snort", "observer.version": "1.2115", + "related.hosts": [ + "uovol2459.www5.invalid" + ], "related.ip": [ - "10.28.105.106", - "10.60.137.215" + "10.60.137.215", + "10.28.105.106" ], "rsa.crypto.sig_type": "tionu", "rsa.internal.messageid": "5155", @@ -1988,6 +2156,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "ptate7215.www5.home" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "ssequa", "rsa.misc.result": "failure", @@ -2015,6 +2186,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "metc7395.lan" + ], "rsa.counters.dclass_c1_str": "Number of Files", "rsa.internal.messageid": "connection_events", "rsa.misc.action": [ @@ -2051,11 +2225,14 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "Loremips5368.www5.corp" + ], "related.ip": [ - "10.166.40.137", "10.49.190.163", - "10.20.167.114", - "10.65.144.119" + "10.166.40.137", + "10.65.144.119", + "10.20.167.114" ], "rsa.internal.event_desc": "Offloaded TCP Flow for connection", "rsa.internal.messageid": "FTD_events", @@ -2095,6 +2272,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "mexer1548.www5.example" + ], "related.ip": [ "10.104.78.147", "10.162.128.87" @@ -2132,9 +2312,12 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "emulla6625.www5.corp" + ], "related.ip": [ - "10.82.180.46", - "10.237.43.87" + "10.237.43.87", + "10.82.180.46" ], "rsa.internal.messageid": "MALWARE", "rsa.misc.checksum": "oloremqu", @@ -2174,9 +2357,12 @@ "observer.type": "IDS", "observer.vendor": "Snort", "observer.version": "1.4189", + "related.hosts": [ + "magn3657.api.invalid" + ], "related.ip": [ - "10.234.234.205", - "10.180.28.156" + "10.180.28.156", + "10.234.234.205" ], "rsa.crypto.sig_type": "mnihil", "rsa.internal.messageid": "5315", @@ -2221,6 +2407,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "nis3942.mail.example" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "architec", "rsa.misc.result": "success", @@ -2256,6 +2445,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "upta788.invalid" + ], "related.ip": [ "10.166.10.187", "10.40.250.209" @@ -2302,6 +2494,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "consequu3962.api.localdomain" + ], "rsa.counters.dclass_c1_str": "Number of Files", "rsa.internal.messageid": "connection_events", "rsa.misc.action": [ @@ -2333,6 +2528,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "ita7851.localhost" + ], "related.ip": [ "10.78.180.219", "10.198.202.72" @@ -2376,9 +2574,12 @@ "observer.type": "IDS", "observer.vendor": "Snort", "observer.version": "1.2390", + "related.hosts": [ + "laparia5374.api.domain" + ], "related.ip": [ - "10.232.67.182", - "10.147.155.100" + "10.147.155.100", + "10.232.67.182" ], "rsa.crypto.sig_type": "eufugi", "rsa.internal.messageid": "26152", @@ -2427,9 +2628,12 @@ "observer.type": "IDS", "observer.vendor": "Snort", "observer.version": "1.1034", + "related.hosts": [ + "onse3711.api.domain" + ], "related.ip": [ - "10.95.152.78", - "10.4.147.70" + "10.4.147.70", + "10.95.152.78" ], "rsa.crypto.sig_type": "cid", "rsa.internal.messageid": "9193", @@ -2472,6 +2676,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "iac7016.api.lan" + ], "related.user": [ "antiu" ], @@ -2502,6 +2709,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "tte4006.www5.test" + ], "related.user": [ "lors" ], @@ -2534,6 +2744,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "equatD1241.www5.host" + ], "rsa.counters.dclass_c1_str": " The number of intrusion events", "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "econs", @@ -2568,6 +2781,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "essequ121.localdomain" + ], "related.ip": [ "10.216.14.36", "10.224.250.83" @@ -2608,9 +2824,12 @@ "observer.type": "IDS", "observer.vendor": "Snort", "observer.version": "1.6298", + "related.hosts": [ + "borios1685.www.localhost" + ], "related.ip": [ - "10.38.22.60", - "10.231.10.63" + "10.231.10.63", + "10.38.22.60" ], "rsa.crypto.sig_type": "taliquip", "rsa.internal.messageid": "10329", @@ -2663,6 +2882,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "Bonoru5658.mail.invalid" + ], "related.ip": [ "10.29.231.11", "10.46.57.181" @@ -2708,6 +2930,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "ueipsa6797.mail.home" + ], "related.user": [ "agnaal" ], @@ -2738,6 +2963,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "iono5161.www5.localhost" + ], "related.user": [ "ita" ], @@ -2770,6 +2998,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "untut3537.domain" + ], "rsa.counters.dclass_c1_str": "Number of Files", "rsa.internal.messageid": "connection_events", "rsa.misc.action": [ @@ -2808,6 +3039,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "reetd7201.invalid" + ], "related.ip": [ "10.135.250.25", "10.107.144.80" @@ -2854,6 +3088,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "tnula4380.mail.test" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "olupta", "rsa.misc.result": "failure", @@ -2880,6 +3117,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "apar2567.www.localhost" + ], "related.user": [ "iscing" ], @@ -2916,6 +3156,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "onsecte5119.www.invalid" + ], "related.ip": [ "10.198.207.31", "10.5.88.183" @@ -2952,6 +3195,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "iutali3143.host" + ], "related.user": [ "ect" ], @@ -2983,6 +3229,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "orro7466.www5.lan" + ], "related.user": [ "issu" ], @@ -3013,6 +3262,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "epre7710.www.domain" + ], "related.user": [ "aria" ], @@ -3044,6 +3296,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "nsequatu2799.www5.invalid" + ], "related.user": [ "mape" ], @@ -3076,6 +3331,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "scingel1634.api.home" + ], "rsa.counters.dclass_c1_str": " The number of intrusion events", "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "meaq", @@ -3109,6 +3367,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "inBCSe364.www.corp" + ], "rsa.counters.dclass_c1_str": " The number of intrusion events", "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "high-tsedquia", @@ -3150,9 +3411,12 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "onofdeFi1149.www5.domain" + ], "related.ip": [ - "10.154.87.98", - "10.186.68.87" + "10.186.68.87", + "10.154.87.98" ], "rsa.internal.messageid": "NGIPS_events", "rsa.internal.msg_id": "uptate", @@ -3204,6 +3468,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "lumdol5252.internal.test" + ], "related.ip": [ "10.35.59.140", "10.67.211.63" @@ -3250,6 +3517,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "quianonn2762.api.localhost" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "eeufugia", "rsa.misc.result": "unknown", @@ -3276,6 +3546,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "atn2219.api.invalid" + ], "related.user": [ "radip" ], @@ -3308,6 +3581,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "equu1159.internal.localhost" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "atcup", "rsa.misc.result": "failure", @@ -3335,6 +3611,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "urQuisau2442.mail.invalid" + ], "related.user": [ "uptate" ], @@ -3370,6 +3649,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "cididu3187.home" + ], "related.ip": [ "10.14.46.141", "10.179.27.185" @@ -3406,6 +3688,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "aliqua4025.www.localdomain" + ], "related.user": [ "deFinibu" ], @@ -3439,6 +3724,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "citati1297.api.domain" + ], "related.user": [ "emp" ], @@ -3471,6 +3759,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "nreprehe2138.www5.domain" + ], "rsa.internal.messageid": "HMNOTIFY", "rsa.misc.event_type": "eursi", "rsa.misc.result": "success", @@ -3498,6 +3789,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "idolore6589.api.localdomain" + ], "related.user": [ "ctobea" ], @@ -3538,11 +3832,14 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "erunt3957.internal.lan" + ], "related.ip": [ - "10.125.130.61", "10.118.103.185", + "10.32.195.34", "10.240.77.10", - "10.32.195.34" + "10.125.130.61" ], "rsa.internal.event_desc": "TCP Flow is no longer offloaded for connection", "rsa.internal.messageid": "FTD_events", @@ -3582,6 +3879,9 @@ "observer.product": "IDS", "observer.type": "IDS", "observer.vendor": "Snort", + "related.hosts": [ + "ntNe7144.api.lan" + ], "related.ip": [ "10.111.130.177", "10.188.88.133" diff --git a/x-pack/filebeat/module/sonicwall/firewall/config/input.yml b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml index 91bbc2d960f..b0bed38d214 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/config/input.yml +++ b/x-pack/filebeat/module/sonicwall/firewall/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml index 921b02b96ea..0dfb627bc0b 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml @@ -53,6 +53,26 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null + - append: + field: related.hosts + value: '{{host.hostname}}' + allow_duplicates: false + if: ctx?.host?.hostname != null + - append: + field: related.hosts + value: '{{source.address}}' + allow_duplicates: false + if: ctx?.source?.address != null + - append: + field: related.hosts + value: '{{destination.address}}' + allow_duplicates: false + if: ctx?.destination?.address != null on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json index 56ba3e6e78d..5b84648b930 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json @@ -18,9 +18,13 @@ "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.hosts": [ + "nostrud4819.mail.test", + "oreetdol1714.internal.corp" + ], "related.ip": [ - "10.92.136.230", - "10.49.111.67" + "10.49.111.67", + "10.92.136.230" ], "rsa.internal.messageid": "914", "rsa.internal.msg": "lupt", @@ -81,9 +85,9 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ + "10.227.15.1", "10.149.203.46", - "10.150.156.22", - "10.227.15.1" + "10.150.156.22" ], "rsa.internal.event_desc": "ctetur", "rsa.internal.messageid": "1369", @@ -416,9 +420,12 @@ "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.hosts": [ + "fugi4637.www.lan" + ], "related.ip": [ - "10.30.196.102", - "10.241.178.107" + "10.241.178.107", + "10.30.196.102" ], "rsa.internal.messageid": "353", "rsa.internal.msg": "onproide", @@ -471,8 +478,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.157.161.103", - "10.78.151.178" + "10.78.151.178", + "10.157.161.103" ], "rsa.internal.event_desc": "taut", "rsa.internal.messageid": "24", @@ -504,8 +511,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.204.11.20", - "10.239.201.234" + "10.239.201.234", + "10.204.11.20" ], "rsa.internal.messageid": "87", "rsa.internal.msg": "Loremip", @@ -544,8 +551,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.245.200.97", "10.34.161.166", + "10.245.200.97", "10.219.116.137" ], "rsa.internal.event_desc": "rehend", @@ -592,8 +599,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.252.122.195", - "10.118.80.140" + "10.118.80.140", + "10.252.122.195" ], "rsa.internal.messageid": "401", "rsa.internal.msg": "inesci", @@ -781,8 +788,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.237.163.139", - "10.135.187.104" + "10.135.187.104", + "10.237.163.139" ], "rsa.internal.messageid": "882", "rsa.internal.msg": "itatio", @@ -838,8 +845,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.60.129.15", - "10.248.101.25" + "10.248.101.25", + "10.60.129.15" ], "rsa.internal.messageid": "372", "rsa.internal.msg": "ommodico", @@ -1207,9 +1214,13 @@ "observer.product": "Firewalls", "observer.type": "Firewall", "observer.vendor": "Sonicwall", + "related.hosts": [ + "tiaec5551.www.local", + "ise5905.www.local" + ], "related.ip": [ - "10.53.113.23", - "10.97.124.211" + "10.97.124.211", + "10.53.113.23" ], "rsa.identity.user_sid_dst": "iumdol", "rsa.internal.messageid": "1154", @@ -1420,9 +1431,9 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.113.100.237", + "10.108.84.24", "10.251.248.228", - "10.108.84.24" + "10.113.100.237" ], "rsa.internal.event_desc": "volupt", "rsa.internal.messageid": "606", @@ -1635,8 +1646,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.104.49.142", - "10.102.166.19" + "10.102.166.19", + "10.104.49.142" ], "rsa.internal.messageid": "252", "rsa.internal.msg": "eprehend", @@ -1766,8 +1777,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.191.242.168", - "10.165.48.224" + "10.165.48.224", + "10.191.242.168" ], "rsa.internal.event_desc": "equep", "rsa.internal.messageid": "995", @@ -1852,8 +1863,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.219.42.212", - "10.57.85.98" + "10.57.85.98", + "10.219.42.212" ], "rsa.internal.event_desc": "mquisno", "rsa.internal.messageid": "995", @@ -1906,8 +1917,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.195.223.82", - "10.135.70.159" + "10.135.70.159", + "10.195.223.82" ], "rsa.internal.messageid": "351", "rsa.internal.msg": "CSe", @@ -2057,8 +2068,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.12.54.142", - "10.56.10.84" + "10.56.10.84", + "10.12.54.142" ], "rsa.internal.messageid": "658", "rsa.internal.msg": "osquirat", @@ -2176,8 +2187,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.57.255.4", - "10.200.122.184" + "10.200.122.184", + "10.57.255.4" ], "rsa.identity.user_sid_dst": "sBon", "rsa.internal.event_desc": "fic", @@ -2318,8 +2329,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.78.29.246", - "10.125.85.128" + "10.125.85.128", + "10.78.29.246" ], "rsa.internal.messageid": "355", "rsa.internal.msg": "labo", @@ -2449,8 +2460,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.245.216.15", - "10.110.208.170" + "10.110.208.170", + "10.245.216.15" ], "rsa.internal.messageid": "931", "rsa.internal.msg": "aecatcup", @@ -2673,8 +2684,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.219.228.115", - "10.179.3.247" + "10.179.3.247", + "10.219.228.115" ], "rsa.internal.messageid": "373", "rsa.misc.action": [ diff --git a/x-pack/filebeat/module/sophos/utm/config/input.yml b/x-pack/filebeat/module/sophos/utm/config/input.yml index c2774be9846..865b6e27119 100644 --- a/x-pack/filebeat/module/sophos/utm/config/input.yml +++ b/x-pack/filebeat/module/sophos/utm/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml b/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml index 777046121c7..8a11fce4053 100644 --- a/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml +++ b/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml @@ -53,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null + - append: + field: related.hosts + value: '{{destination.address}}' + allow_duplicates: false + if: ctx?.destination?.address != null on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json b/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json index d820157c77c..b57ab7067ab 100644 --- a/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sophos/utm/test/generated.log-expected.json @@ -51,14 +51,17 @@ "observer.vendor": "Sophos", "observer.version": "1.5102", "process.pid": 5716, + "related.hosts": [ + "ercit2385.internal.home" + ], "related.ip": [ "10.47.202.102", "10.57.170.140" ], "related.user": [ - "dexeac", "sunt", - "icistatuscode=giatquov" + "icistatuscode=giatquov", + "dexeac" ], "rsa.db.index": "run", "rsa.identity.logon_type": "nofdeF", @@ -119,6 +122,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 3905, + "related.hosts": [ + "eirure7587.internal.localhost" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_log": "aaliquaU", "rsa.misc.result": "No form context found", @@ -150,12 +156,15 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "observer.version": "1.3129", + "related.hosts": [ + "data4478.api.lan" + ], "related.ip": [ "10.106.239.55" ], "related.user": [ - "eaq", - "itquiin" + "itquiin", + "eaq" ], "rsa.identity.logon_type": "stquidol", "rsa.internal.event_desc": "bor", @@ -196,6 +205,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 7692, + "related.hosts": [ + "ctetura3009.www5.corp" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.disposition": "corp", "rsa.misc.event_id": "AH00292", @@ -275,6 +287,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 945, + "related.hosts": [ + "ptasnu6684.mail.lan" + ], "related.ip": [ "10.18.13.211" ], @@ -306,6 +321,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "ssecillu7166.internal.lan" + ], "rsa.internal.event_desc": "barnyard:Initializing daemon mode", "rsa.internal.messageid": "barnyard", "rsa.network.alias_host": [ @@ -333,6 +351,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 2164, + "related.hosts": [ + "ore5643.api.lan" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_log": "acom", "rsa.misc.severity": "high", @@ -362,6 +383,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 4006, + "related.hosts": [ + "ciun39.localdomain" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.context": "Unclean shutdown", "rsa.misc.event_id": "AH00098", @@ -392,6 +416,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 1263, + "related.hosts": [ + "atatnon6064.www.invalid" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_id": "AH00291", "rsa.misc.event_log": "adol", @@ -420,6 +447,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "gitse2463.www5.invalid" + ], "related.user": [ "agnaaliq" ], @@ -475,6 +505,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "oriosam6277.mail.localdomain" + ], "related.ip": [ "10.169.5.162" ], @@ -509,6 +542,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 5996, + "related.hosts": [ + "ptate3830.internal.localhost" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_id": "AH02572", "rsa.misc.event_log": "ntut", @@ -538,6 +574,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 3340, + "related.hosts": [ + "nvo6105.invalid" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.disposition": "isn", "rsa.misc.event_id": "AH00020", @@ -592,6 +631,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "observer.version": "1.5889", + "related.hosts": [ + "edic2758.api.domain" + ], "related.ip": [ "10.54.169.175" ], @@ -698,6 +740,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 170, + "related.hosts": [ + "ectobeat3157.mail.local" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.disposition": "ditau", "rsa.misc.event_id": "AH02312", @@ -733,6 +778,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 873, + "related.hosts": [ + "ident2323.internal.corp" + ], "related.ip": [ "10.144.21.112" ], @@ -764,6 +812,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "ttenb4581.www.host" + ], "rsa.internal.event_desc": "httpproxy:shutdown finished, exiting.", "rsa.internal.messageid": "httpproxy", "rsa.network.alias_host": [ @@ -789,6 +840,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "lapari5763.api.invalid" + ], "related.ip": [ "10.103.2.48" ], @@ -829,6 +883,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "elites4713.www.localhost" + ], "related.ip": [ "10.161.51.135", "10.52.190.18" @@ -878,6 +935,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 3338, + "related.hosts": [ + "sam1795.invalid" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.disposition": "animide", "rsa.misc.event_id": "AH02312", @@ -968,13 +1028,17 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "observer.version": "1.5146", + "related.hosts": [ + "nostrum6305.internal.localhost", + "Duis583.api.local" + ], "related.ip": [ "10.17.51.153", "10.89.41.97" ], "related.user": [ - "tio", "tcustatuscode=eumiu", + "tio", "pteurs" ], "rsa.db.index": "eavolupt", @@ -1037,6 +1101,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "xeaco7887.www.localdomain" + ], "related.user": [ "uptate" ], @@ -1071,6 +1138,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 5430, + "related.hosts": [ + "iscivel3512.invalid" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.operation_id": "eriti", "rsa.network.host_dst": "iscivel3512.invalid", @@ -1119,6 +1189,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "dolor5799.home" + ], "rsa.internal.event_desc": "afcd: IM/P2P Classifier configuration reloaded successfully.", "rsa.internal.messageid": "afcd", "rsa.network.alias_host": [ @@ -1147,6 +1220,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 6691, + "related.hosts": [ + "oreseosq1859.api.lan" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_log": "essequam", "rsa.misc.result": "Virus daemon connection problem", @@ -1203,6 +1279,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 1121, + "related.hosts": [ + "autodit272.www.localhost" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_log": "imadmin", "rsa.misc.severity": "very-high", @@ -1234,6 +1313,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 3705, + "related.hosts": [ + "rporis6787.www5.localdomain" + ], "related.ip": [ "10.148.21.7" ], @@ -1268,6 +1350,10 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "reprehe5661.www.lan", + "ntore4333.api.invalid" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.context": "iumd", "rsa.misc.operation_id": "equam", @@ -1298,6 +1384,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 2384, + "related.hosts": [ + "sequatD163.internal.example" + ], "related.ip": [ "10.151.206.38" ], @@ -1331,6 +1420,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "elillu5777.www5.lan" + ], "related.ip": [ "10.230.4.70" ], @@ -1362,6 +1454,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "ecatcup3022.mail.invalid" + ], "rsa.db.index": "nproide", "rsa.internal.event_desc": "xl2tpd:xl2tpd Software copyright.", "rsa.internal.messageid": "xl2tpd", @@ -1388,6 +1483,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "qui7797.www.host" + ], "rsa.internal.event_desc": "ipsec_starter: Starting strongSwan 4.2.3 IPsec [starter]...", "rsa.internal.messageid": "ipsec_starter", "rsa.network.alias_host": [ @@ -1416,6 +1514,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 3994, + "related.hosts": [ + "nofdeFin2037.mail.example" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_log": "nevol", "rsa.misc.result": "Cannot read reply", @@ -1471,6 +1572,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 4074, + "related.hosts": [ + "eFinib2403.api.example" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.disposition": "ecatcu", "rsa.misc.event_log": "sun", @@ -1506,8 +1610,8 @@ "10.244.96.61" ], "related.user": [ - "iumt", - "itsedqui" + "itsedqui", + "iumt" ], "rsa.identity.logon_type": "psamvolu", "rsa.internal.event_desc": "orroqui", @@ -1572,6 +1676,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 1853, + "related.hosts": [ + "obeatae2042.www.domain" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.disposition": "ula", "rsa.misc.event_id": "AH01110", @@ -1602,6 +1709,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "aerat1267.www5.example" + ], "rsa.internal.event_desc": "pop3proxy:Master started.", "rsa.internal.messageid": "pop3proxy", "rsa.network.alias_host": [ @@ -1630,6 +1740,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 478, + "related.hosts": [ + "writt2238.internal.localdomain" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_log": "aed", "rsa.misc.severity": "low", @@ -1660,6 +1773,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 7721, + "related.hosts": [ + "siutaliq4937.api.lan" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.comments": "server certificate has a different hostname from actual hostname", "rsa.misc.event_log": "urvel", @@ -1731,14 +1847,17 @@ "observer.vendor": "Sophos", "observer.version": "1.3726", "process.pid": 1090, + "related.hosts": [ + "tenbyCi4371.www5.localdomain" + ], "related.ip": [ "10.98.126.206", "10.214.167.164" ], "related.user": [ "hen", - "amremapstatuscode=dolorsit", - "isnostru" + "isnostru", + "amremapstatuscode=dolorsit" ], "rsa.db.index": "spernatu", "rsa.identity.logon_type": "untutl", @@ -1853,6 +1972,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 7755, + "related.hosts": [ + "ectob5542.www5.corp" + ], "related.ip": [ "10.231.77.26" ], @@ -1902,15 +2024,19 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "observer.version": "1.2707", + "related.hosts": [ + "iusmo901.www.home", + "tenima5715.api.example" + ], "related.ip": [ "10.2.24.156", "10.92.93.236" ], "related.user": [ "ulpaq", - "ntoccae", + "Sedutper", "dolorsistatuscode=acc", - "Sedutper" + "ntoccae" ], "rsa.db.index": "snisiut", "rsa.identity.logon_type": "umdol", @@ -1919,8 +2045,8 @@ "rsa.investigations.event_cat": 1901000000, "rsa.investigations.event_cat_name": "Other.Default", "rsa.misc.action": [ - "block", - "icons" + "icons", + "block" ], "rsa.misc.comments": "porincid", "rsa.misc.content_type": "temvele", @@ -1990,14 +2116,17 @@ "observer.vendor": "Sophos", "observer.version": "1.3155", "process.pid": 6463, + "related.hosts": [ + "mni4032.lan" + ], "related.ip": [ "10.180.169.49", "10.202.65.2" ], "related.user": [ - "tasu", + "atatno", "iscivelistatuscode=urve", - "atatno" + "tasu" ], "rsa.db.index": "amrem", "rsa.identity.logon_type": "nulamcol", @@ -2057,6 +2186,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 5350, + "related.hosts": [ + "iscing6960.api.invalid" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.context": "SSL Library Error", "rsa.misc.event_log": "incidu", @@ -2090,6 +2222,9 @@ "observer.vendor": "Sophos", "observer.version": "1.6420", "process.pid": 793, + "related.hosts": [ + "olupta3647.host" + ], "rsa.internal.event_desc": "imvenia", "rsa.internal.messageid": "httpd", "rsa.misc.event_log": "ruredo", @@ -2124,6 +2259,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 6633, + "related.hosts": [ + "iavolu7814.www5.localhost" + ], "related.ip": [ "10.194.12.83" ], @@ -2172,14 +2310,17 @@ "observer.vendor": "Sophos", "observer.version": "1.4256", "process.pid": 5792, + "related.hosts": [ + "obea2960.mail.corp" + ], "related.ip": [ "10.33.138.154", "10.45.12.53" ], "related.user": [ + "eturadip", "umqustatuscode=ntexpli", - "porincid", - "eturadip" + "porincid" ], "rsa.db.index": "dolor", "rsa.identity.logon_type": "eturadi", @@ -2269,6 +2410,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 212, + "related.hosts": [ + "olli5982.www.test" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_log": "uatDui", "rsa.misc.result": "virus daemon error", @@ -2300,6 +2444,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 3136, + "related.hosts": [ + "nsecte3644.internal.test" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_log": "isund", "rsa.misc.severity": "high", @@ -2334,8 +2481,8 @@ "10.32.85.21" ], "related.user": [ - "etconsec", - "antium" + "antium", + "etconsec" ], "rsa.identity.logon_type": "umiurere", "rsa.internal.event_desc": "serro", @@ -2371,6 +2518,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "econseq7119.www.home" + ], "rsa.internal.event_desc": "sshd:error:Could not get shadow information for NOUSER", "rsa.internal.messageid": "sshd", "rsa.network.alias_host": [ @@ -2399,6 +2549,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 3669, + "related.hosts": [ + "ant2543.www5.lan" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_log": "lapa", "rsa.misc.result": "Cannot read reply", @@ -2471,15 +2624,18 @@ "observer.vendor": "Sophos", "observer.version": "1.7641", "process.pid": 6562, + "related.hosts": [ + "nisiuta4810.api.test" + ], "related.ip": [ - "10.210.175.52", - "10.85.200.58" + "10.85.200.58", + "10.210.175.52" ], "related.user": [ - "reetd", - "inimastatuscode=emipsum", "Loremi", - "rExce" + "rExce", + "reetd", + "inimastatuscode=emipsum" ], "rsa.db.index": "apa", "rsa.identity.logon_type": "sedquia", @@ -2547,9 +2703,12 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "itametc1599.api.test" + ], "related.ip": [ - "10.115.166.48", - "10.133.45.45" + "10.133.45.45", + "10.115.166.48" ], "rsa.internal.event_desc": "Authentication", "rsa.internal.messageid": "ulogd", @@ -2594,6 +2753,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "tiumt5462.mail.localhost" + ], "rsa.internal.event_desc": "sshd:Invalid user admin.", "rsa.internal.messageid": "sshd", "rsa.network.alias_host": [ @@ -2619,6 +2781,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "vol1450.internal.host" + ], "related.ip": [ "10.71.184.162" ], @@ -2675,6 +2840,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 5943, + "related.hosts": [ + "rporissu573.api.test" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.disposition": "nihi", "rsa.misc.event_id": "AH02312", @@ -2705,6 +2873,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "nostru774.corp" + ], "rsa.internal.messageid": "URID", "rsa.misc.action": [ "allow" @@ -2759,6 +2930,9 @@ "observer.vendor": "Sophos", "observer.version": "1.7102", "process.pid": 5037, + "related.hosts": [ + "lorsita2216.www5.example" + ], "rsa.internal.event_desc": "olorsita", "rsa.internal.messageid": "httpd", "rsa.misc.event_log": "iadese", @@ -2795,6 +2969,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 4346, + "related.hosts": [ + "sum2208.host" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_log": "nia", "rsa.misc.severity": "medium", @@ -2824,6 +3001,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 5126, + "related.hosts": [ + "ore6843.local" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.comments": "No signature on cookie", "rsa.misc.event_log": "aveniam", @@ -2857,6 +3037,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 7442, + "related.hosts": [ + "Sedu1610.mail.corp" + ], "related.ip": [ "10.177.35.133" ], @@ -2892,6 +3075,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 6600, + "related.hosts": [ + "corpo6737.example" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_log": "aliquide", "rsa.misc.result": "failure", @@ -2942,6 +3128,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "eratvol314.www.home" + ], "rsa.internal.event_desc": "pop3proxy:Master started.", "rsa.internal.messageid": "pop3proxy", "rsa.network.alias_host": [ @@ -2971,6 +3160,10 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 2389, + "related.hosts": [ + "utemvele1838.mail.test", + "seosquir715.local" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.comments": "rci", "rsa.misc.event_log": "aco", @@ -3008,6 +3201,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 2237, + "related.hosts": [ + "ulapari2656.local" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.event_log": "non", "rsa.misc.result": "failure", @@ -3120,6 +3316,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 7766, + "related.hosts": [ + "stla2856.host" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.disposition": "configured", "rsa.misc.event_log": "adolo", @@ -3150,6 +3349,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 2404, + "related.hosts": [ + "peri6748.www5.domain" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.context": "Unclean shutdown", "rsa.misc.event_id": "AH00098", @@ -3181,6 +3383,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 6108, + "related.hosts": [ + "tnon5442.internal.test" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.action": [ "accept" @@ -3215,6 +3420,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 7690, + "related.hosts": [ + "ariatu2606.www.host" + ], "rsa.internal.messageid": "reverseproxy", "rsa.misc.context": "Not all file sent to client", "rsa.misc.event_log": "umquid", @@ -3251,6 +3459,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "imv1805.api.host" + ], "related.ip": [ "10.248.62.55", "10.96.243.231" @@ -3303,6 +3514,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 7650, + "related.hosts": [ + "rita600.www5.localdomain" + ], "related.ip": [ "10.132.101.158" ], @@ -3359,6 +3573,9 @@ "observer.type": "Firewall", "observer.vendor": "Sophos", "process.pid": 1817, + "related.hosts": [ + "admini1122.www.local" + ], "related.ip": [ "10.96.193.132" ], @@ -3402,8 +3619,8 @@ "10.96.200.83" ], "related.user": [ - "acommod", - "lapariat" + "lapariat", + "acommod" ], "rsa.identity.logon_type": "remeumf", "rsa.internal.event_desc": "dol", @@ -3439,6 +3656,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "emvel4391.localhost" + ], "rsa.internal.event_desc": "sshd: Did not receive identification string.", "rsa.internal.messageid": "sshd", "rsa.network.alias_host": [ @@ -3489,6 +3709,9 @@ "observer.product": "UTM", "observer.type": "Firewall", "observer.vendor": "Sophos", + "related.hosts": [ + "untinc5531.www5.test" + ], "rsa.internal.event_desc": "sshd:error:Could not get shadow information for NOUSER", "rsa.internal.messageid": "sshd", "rsa.network.alias_host": [ diff --git a/x-pack/filebeat/module/squid/log/config/input.yml b/x-pack/filebeat/module/squid/log/config/input.yml index ac392325320..5ce8949c381 100644 --- a/x-pack/filebeat/module/squid/log/config/input.yml +++ b/x-pack/filebeat/module/squid/log/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/squid/log/ingest/pipeline.yml b/x-pack/filebeat/module/squid/log/ingest/pipeline.yml index 96b12b89731..70ef42a20da 100644 --- a/x-pack/filebeat/module/squid/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/squid/log/ingest/pipeline.yml @@ -53,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{server.domain}}' + allow_duplicates: false + if: ctx?.server?.domain != null + - append: + field: related.hosts + value: '{{url.domain}}' + allow_duplicates: false + if: ctx?.url?.domain != null on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json index 3bd7adbce31..26b891ba4f1 100644 --- a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json @@ -21,6 +21,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "login.yahoo.com" + ], "related.ip": [ "209.73.177.115", "10.105.21.199" @@ -82,9 +85,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -145,6 +151,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ "10.105.21.199", "207.58.145.61" @@ -196,6 +205,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ "10.105.21.199" ], @@ -208,8 +220,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -246,6 +258,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.google-analytics.com" + ], "related.ip": [ "10.105.21.199" ], @@ -307,6 +322,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ "10.105.21.199", "207.58.145.61" @@ -320,8 +338,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -367,9 +385,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.google-analytics.com" + ], "related.ip": [ - "66.102.9.147", - "10.105.21.199" + "10.105.21.199", + "66.102.9.147" ], "related.user": [ "badeyek" @@ -380,8 +401,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -430,6 +451,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ "207.58.145.61", "10.105.21.199" @@ -443,8 +467,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -493,9 +517,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -556,6 +583,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ "207.58.145.61", "10.105.21.199" @@ -569,8 +599,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -607,6 +637,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ "10.105.21.199" ], @@ -619,8 +652,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -669,6 +702,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "as.casalemedia.com" + ], "related.ip": [ "10.105.21.199", "209.85.16.38" @@ -682,8 +718,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -726,6 +762,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.bc.yahoo.com" + ], "related.ip": [ "10.105.21.199", "68.142.213.132" @@ -738,8 +777,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -785,9 +824,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "impgb.tradedoubler.com" + ], "related.ip": [ - "217.212.240.172", - "10.105.21.199" + "10.105.21.199", + "217.212.240.172" ], "related.user": [ "badeyek" @@ -798,8 +840,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -848,9 +890,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "4.adbrite.com" + ], "related.ip": [ - "206.169.136.22", - "10.105.21.199" + "10.105.21.199", + "206.169.136.22" ], "related.user": [ "badeyek" @@ -861,8 +906,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -899,6 +944,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ "10.105.21.199" ], @@ -911,8 +959,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -961,9 +1009,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -974,8 +1025,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -1024,9 +1075,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.goonernews.com" + ], "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -1037,8 +1091,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -1082,9 +1136,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "4.adbrite.com" + ], "related.ip": [ - "64.127.126.178", - "10.105.21.199" + "10.105.21.199", + "64.127.126.178" ], "related.user": [ "badeyek" @@ -1145,6 +1202,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "ff.connextra.com" + ], "related.ip": [ "213.160.98.161", "10.105.21.199" @@ -1208,6 +1268,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "dd.connextra.com" + ], "related.ip": [ "213.160.98.160", "10.105.21.199" @@ -1258,6 +1321,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "hi5.com" + ], "related.ip": [ "10.105.47.218" ], @@ -1270,8 +1336,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1316,9 +1382,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "login.yahoo.com" + ], "related.ip": [ - "10.105.21.199", - "209.73.177.115" + "209.73.177.115", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -1328,8 +1397,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1366,6 +1435,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "update.messenger.yahoo.com" + ], "related.ip": [ "10.105.33.214" ], @@ -1378,8 +1450,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1424,6 +1496,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "shttp.msg.yahoo.com" + ], "related.ip": [ "216.155.194.239", "10.105.33.214" @@ -1436,8 +1511,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -1485,9 +1560,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "hi5.com" + ], "related.ip": [ - "204.13.51.238", - "10.105.47.218" + "10.105.47.218", + "204.13.51.238" ], "related.user": [ "nazsoau" @@ -1498,8 +1576,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -1548,6 +1626,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "hi5.com" + ], "related.ip": [ "10.105.47.218", "204.13.51.238" @@ -1561,8 +1642,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -1607,6 +1688,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "shttp.msg.yahoo.com" + ], "related.ip": [ "10.105.33.214", "216.155.194.239" @@ -1657,6 +1741,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "rms.adobe.com" + ], "related.ip": [ "10.105.37.58" ], @@ -1669,8 +1756,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1707,6 +1794,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "images.hi5.com" + ], "related.ip": [ "10.105.47.218" ], @@ -1757,6 +1847,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "images.hi5.com" + ], "related.ip": [ "10.105.47.218" ], @@ -1769,8 +1862,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -1818,9 +1911,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "hi5.com" + ], "related.ip": [ - "10.105.47.218", - "204.13.51.238" + "204.13.51.238", + "10.105.47.218" ], "related.user": [ "nazsoau" @@ -1881,9 +1977,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "hi5.com" + ], "related.ip": [ - "204.13.51.238", - "10.105.47.218" + "10.105.47.218", + "204.13.51.238" ], "related.user": [ "nazsoau" @@ -1894,8 +1993,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -1940,6 +2039,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "shttp.msg.yahoo.com" + ], "related.ip": [ "216.155.194.239", "10.105.33.214" @@ -1952,8 +2054,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -1996,9 +2098,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "insider.msg.yahoo.com" + ], "related.ip": [ - "68.142.194.14", - "10.105.33.214" + "10.105.33.214", + "68.142.194.14" ], "related.user": [ "adeolaegbedokun" @@ -2056,6 +2161,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ "10.105.33.214", "68.142.219.132" @@ -2069,8 +2177,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2115,6 +2223,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "shttp.msg.yahoo.com" + ], "related.ip": [ "216.155.194.239", "10.105.33.214" @@ -2127,8 +2238,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_MISS" + "TCP_MISS", + "POST" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -2172,9 +2283,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "address.yahoo.com" + ], "related.ip": [ - "10.105.33.214", - "209.191.93.51" + "209.191.93.51", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2235,6 +2349,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "fxfeeds.mozilla.org" + ], "related.ip": [ "63.245.209.21", "10.105.21.199" @@ -2294,9 +2411,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "insider.msg.yahoo.com" + ], "related.ip": [ - "10.105.33.214", - "68.142.231.252" + "68.142.231.252", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2307,8 +2427,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -2351,9 +2471,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "insider.msg.yahoo.com" + ], "related.ip": [ - "10.105.33.214", - "68.142.194.14" + "68.142.194.14", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2401,6 +2524,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.mcafee.com" + ], "related.ip": [ "10.105.37.17" ], @@ -2412,8 +2538,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_DENIED" + "TCP_DENIED", + "CONNECT" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2450,6 +2576,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.mcafee.com" + ], "related.ip": [ "10.105.37.17" ], @@ -2499,6 +2628,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.mcafee.com" + ], "related.ip": [ "10.105.37.17" ], @@ -2547,6 +2679,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.mcafee.com" + ], "related.ip": [ "10.105.37.17" ], @@ -2558,8 +2693,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "CONNECT" + "CONNECT", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2605,9 +2740,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -2618,8 +2756,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -2655,6 +2793,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.mcafee.com" + ], "related.ip": [ "10.105.37.17" ], @@ -2666,8 +2807,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_DENIED" + "TCP_DENIED", + "CONNECT" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2713,9 +2854,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2726,8 +2870,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -2772,9 +2916,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "shttp.msg.yahoo.com" + ], "related.ip": [ - "216.155.194.239", - "10.105.33.214" + "10.105.33.214", + "216.155.194.239" ], "related.user": [ "adeolaegbedokun" @@ -2831,6 +2978,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ "68.142.219.132", "10.105.33.214" @@ -2891,6 +3041,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ "10.105.33.214", "68.142.219.132" @@ -2942,6 +3095,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.mcafee.com" + ], "related.ip": [ "10.105.47.191" ], @@ -2953,8 +3109,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_DENIED" + "TCP_DENIED", + "POST" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2991,6 +3147,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.mcafee.com" + ], "related.ip": [ "10.105.47.191" ], @@ -3049,6 +3208,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ "68.142.219.132", "10.105.33.214" @@ -3109,6 +3271,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ "68.142.219.132", "10.105.33.214" @@ -3169,9 +3334,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3229,9 +3397,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3280,6 +3451,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ "10.105.33.214" ], @@ -3330,6 +3504,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ "10.105.33.214" ], @@ -3342,8 +3519,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -3380,6 +3557,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.i1.yimg.com" + ], "related.ip": [ "10.105.33.214" ], @@ -3392,8 +3572,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_HIT", - "GET" + "GET", + "TCP_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3439,9 +3619,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "newsrss.bbc.co.uk" + ], "related.ip": [ - "10.105.21.199", - "212.58.226.33" + "212.58.226.33", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -3452,8 +3635,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_MISS", - "GET" + "GET", + "TCP_REFRESH_MISS" ], "rsa.misc.content_type": "application/xml", "rsa.misc.result_code": "200", @@ -3499,6 +3682,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "insider.msg.yahoo.com" + ], "related.ip": [ "68.142.231.252", "10.105.33.214" @@ -3550,6 +3736,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.ent1.yimg.com" + ], "related.ip": [ "10.105.33.214" ], @@ -3600,6 +3789,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.news1.yimg.com" + ], "related.ip": [ "10.105.33.214" ], @@ -3612,8 +3804,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -3659,6 +3851,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ "68.142.219.132", "10.105.33.214" @@ -3721,9 +3916,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.news1.yimg.com" + ], "related.ip": [ - "10.105.33.214", - "213.160.98.159" + "213.160.98.159", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3734,8 +3932,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/jpeg", "rsa.misc.result_code": "200", @@ -3781,9 +3979,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.music.yahoo.com" + ], "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3841,6 +4042,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.music.yahoo.com" + ], "related.ip": [ "10.105.33.214", "68.142.219.132" @@ -3901,9 +4105,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3914,8 +4121,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -3952,6 +4159,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "natrocket.kmip.net" + ], "related.ip": [ "10.105.37.65" ], @@ -3964,8 +4174,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -4002,6 +4212,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "natrocket.kmip.net" + ], "related.ip": [ "10.105.37.65" ], @@ -4064,9 +4277,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.news1.yimg.com" + ], "related.ip": [ - "213.160.98.159", - "10.105.33.214" + "10.105.33.214", + "213.160.98.159" ], "related.user": [ "adeolaegbedokun" @@ -4124,6 +4340,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ "68.142.219.132", "10.105.33.214" @@ -4137,8 +4356,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -4184,9 +4403,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -4247,9 +4469,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.a2.yimg.com" + ], "related.ip": [ - "213.160.98.152", - "10.105.33.214" + "10.105.33.214", + "213.160.98.152" ], "related.user": [ "adeolaegbedokun" @@ -4260,8 +4485,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "application/x-shockwave-flash", "rsa.misc.result_code": "200", @@ -4307,9 +4532,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "radio.launch.yahoo.com" + ], "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -4365,6 +4593,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.bc.yahoo.com" + ], "related.ip": [ "10.105.33.214", "68.142.213.132" @@ -4423,9 +4654,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "insider.msg.yahoo.com" + ], "related.ip": [ - "68.142.194.14", - "10.105.33.214" + "10.105.33.214", + "68.142.194.14" ], "related.user": [ "adeolaegbedokun" @@ -4480,9 +4714,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "pclick.internal.yahoo.com" + ], "related.ip": [ - "216.109.124.55", - "10.105.33.214" + "10.105.33.214", + "216.109.124.55" ], "related.user": [ "adeolaegbedokun" @@ -4530,6 +4767,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "a1568.g.akamai.net" + ], "related.ip": [ "10.105.33.214" ], @@ -4592,6 +4832,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "a1568.g.akamai.net" + ], "related.ip": [ "10.105.33.214", "213.160.98.159" @@ -4605,8 +4848,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -4655,6 +4898,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "a1568.g.akamai.net" + ], "related.ip": [ "10.105.33.214", "213.160.98.159" @@ -4668,8 +4914,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4714,6 +4960,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "login.yahoo.com" + ], "related.ip": [ "209.73.177.115", "10.105.21.199" @@ -4726,8 +4975,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_MISS" + "TCP_MISS", + "CONNECT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -4776,9 +5025,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "a1568.g.akamai.net" + ], "related.ip": [ - "213.160.98.167", - "10.105.33.214" + "10.105.33.214", + "213.160.98.167" ], "related.user": [ "adeolaegbedokun" @@ -4839,9 +5091,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "a1568.g.akamai.net" + ], "related.ip": [ - "10.105.33.214", - "213.160.98.159" + "213.160.98.159", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4852,8 +5107,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4890,6 +5145,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "a1568.g.akamai.net" + ], "related.ip": [ "10.105.33.214" ], @@ -4902,8 +5160,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_IMS_HIT" + "TCP_IMS_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -4952,9 +5210,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "a1568.g.akamai.net" + ], "related.ip": [ - "213.160.98.167", - "10.105.33.214" + "10.105.33.214", + "213.160.98.167" ], "related.user": [ "adeolaegbedokun" @@ -5015,6 +5276,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "a1568.g.akamai.net" + ], "related.ip": [ "213.160.98.159", "10.105.33.214" @@ -5078,6 +5342,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "a1568.g.akamai.net" + ], "related.ip": [ "10.105.33.214", "213.160.98.167" @@ -5091,8 +5358,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -5129,6 +5396,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "www.google.com" + ], "related.ip": [ "10.105.37.180" ], @@ -5179,6 +5449,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.mcafee.com" + ], "related.ip": [ "10.105.47.191" ], @@ -5191,8 +5464,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5236,9 +5509,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "launch.adserver.yahoo.com" + ], "related.ip": [ - "10.105.33.214", - "216.109.125.112" + "216.109.125.112", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -5249,8 +5525,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -5296,6 +5572,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "uk.f250.mail.yahoo.com" + ], "related.ip": [ "217.12.10.96", "10.105.21.199" @@ -5346,6 +5625,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "login.live.com" + ], "related.ip": [ "10.105.37.180" ], @@ -5407,9 +5689,12 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.js2.yimg.com" + ], "related.ip": [ - "10.105.21.199", - "213.160.98.169" + "213.160.98.169", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -5458,6 +5743,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.js1.yimg.com" + ], "related.ip": [ "10.105.21.199" ], @@ -5520,6 +5808,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.js2.yimg.com" + ], "related.ip": [ "10.105.21.199", "213.160.98.169" @@ -5533,8 +5824,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -5571,6 +5862,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.js1.yimg.com" + ], "related.ip": [ "10.105.21.199" ], @@ -5621,6 +5915,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.js2.yimg.com" + ], "related.ip": [ "10.105.21.199" ], @@ -5671,6 +5968,9 @@ "observer.product": "Proxy", "observer.type": "Proxies", "observer.vendor": "Squid", + "related.hosts": [ + "us.i1.yimg.com" + ], "related.ip": [ "10.105.21.199" ], diff --git a/x-pack/filebeat/module/symantec/endpointprotection/config/input.yml b/x-pack/filebeat/module/symantec/endpointprotection/config/input.yml index a735b86e766..b888ca3989d 100644 --- a/x-pack/filebeat/module/symantec/endpointprotection/config/input.yml +++ b/x-pack/filebeat/module/symantec/endpointprotection/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/symantec/endpointprotection/ingest/pipeline.yml b/x-pack/filebeat/module/symantec/endpointprotection/ingest/pipeline.yml index 26f7511d6c8..910205d3d03 100644 --- a/x-pack/filebeat/module/symantec/endpointprotection/ingest/pipeline.yml +++ b/x-pack/filebeat/module/symantec/endpointprotection/ingest/pipeline.yml @@ -53,6 +53,26 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null + - append: + field: related.hosts + value: '{{host.hostname}}' + allow_duplicates: false + if: ctx?.host?.hostname != null + - append: + field: related.hosts + value: '{{source.address}}' + allow_duplicates: false + if: ctx?.source?.address != null + - append: + field: related.hosts + value: '{{destination.address}}' + allow_duplicates: false + if: ctx?.destination?.address != null on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json b/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json index c35bd2dbb66..9b9183fe35a 100644 --- a/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json +++ b/x-pack/filebeat/module/symantec/endpointprotection/test/generated.log-expected.json @@ -12,6 +12,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "exe7309.internal.local" + ], "rsa.internal.event_desc": "rsitam", "rsa.internal.messageid": "302776834", "rsa.misc.event_source": "reprehe", @@ -41,6 +44,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "llam2073.internal.localdomain", + "sitas4259.mail.corp" + ], "rsa.internal.event_desc": "aboreetd", "rsa.internal.messageid": "303235083", "rsa.misc.event_source": "iumto", @@ -72,6 +79,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "olupt3702.www.localhost" + ], "rsa.internal.event_desc": "colabor", "rsa.internal.messageid": "302450432", "rsa.misc.event_source": "tectobe", @@ -99,6 +109,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "onse254.www5.localdomain", + "tat6349.internal.lan" + ], "rsa.db.index": "uiineavo", "rsa.internal.event_desc": "Invalid log record", "rsa.internal.messageid": "Invalid", @@ -146,6 +160,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "mdolore2062.mail.host" + ], "rsa.internal.event_desc": "tutla", "rsa.internal.messageid": "302449409", "rsa.misc.event_source": "den", @@ -175,6 +192,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "nisi6901.mail.home" + ], "related.user": [ "rem" ], @@ -208,6 +228,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "dutp6197.www.test" + ], "rsa.internal.event_desc": "tconsect", "rsa.internal.messageid": "303235076", "rsa.misc.event_source": "siut", @@ -237,6 +260,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "umSe1918.local", + "nBCSedut1502.www5.example" + ], "rsa.internal.event_desc": "oditautf", "rsa.internal.messageid": "302449410", "rsa.misc.event_source": "fugia", @@ -270,6 +297,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "olupt2189.lan", + "temporin7150.mail.local" + ], "rsa.internal.event_desc": "rem", "rsa.internal.messageid": "302449169", "rsa.misc.event_source": "rationev", @@ -303,6 +334,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "emq6633.domain" + ], "related.user": [ "tinvolup" ], @@ -336,6 +370,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "Except6889.www.corp" + ], "rsa.internal.event_desc": "umq", "rsa.internal.messageid": "302452736", "rsa.misc.event_source": "asper", @@ -363,6 +400,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "quatD1370.invalid" + ], "rsa.internal.event_desc": "veniamqu", "rsa.internal.messageid": "302452802", "rsa.misc.event_source": "iruredol", @@ -392,6 +432,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "iatqu6203.mail.corp", + "quaeab2653.mail.localdomain" + ], "rsa.db.index": "itat", "rsa.internal.event_desc": "aco", "rsa.internal.messageid": "303235080", @@ -428,6 +472,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "redol124.mail.invalid" + ], "rsa.internal.event_desc": "orinrep", "rsa.internal.messageid": "302450688", "rsa.misc.event_source": "ctetu", @@ -455,6 +502,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "enim5999.mail.localhost" + ], "rsa.internal.event_desc": "orroquis", "rsa.internal.messageid": "303169538", "rsa.misc.event_source": "iame", @@ -484,6 +534,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "reseosqu1629.mail.lan", + "rsitvolu3596.www.test" + ], "rsa.internal.event_desc": "gelitsed", "rsa.internal.messageid": "302449410", "rsa.misc.event_source": "adm", @@ -515,6 +569,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "tan3170.api.example" + ], "rsa.internal.event_desc": "dolorsi", "rsa.internal.messageid": "303235081", "rsa.misc.checksum": "dtemp", @@ -543,6 +600,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "eseruntm4247.mail.local", + "magnaal5792.www5.domain" + ], "rsa.counters.dclass_c1": 7519, "rsa.counters.dclass_c1_str": "Number of Virus Cleaned.", "rsa.internal.event_desc": "Cleaned up downloaded content.", @@ -571,6 +632,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "itatio6735.api.example" + ], "rsa.internal.event_desc": "rumSec", "rsa.internal.messageid": "302452801", "rsa.misc.event_source": "rsin", @@ -598,6 +662,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "radip163.mail.invalid" + ], "rsa.internal.event_desc": "miurerep", "rsa.internal.messageid": "302449166", "rsa.misc.event_source": "ainc", @@ -632,10 +699,14 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "vol866.api.domain", + "bore5546.www.local" + ], "related.ip": [ "10.7.164.113", - "10.207.125.114", - "10.175.83.138" + "10.175.83.138", + "10.207.125.114" ], "related.user": [ "remip" @@ -679,6 +750,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "inc5923.www.test", + "tatemseq5797.home" + ], "rsa.internal.event_desc": "eufugi", "rsa.internal.messageid": "302452817", "rsa.misc.event_source": "oremip", @@ -716,9 +791,13 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "enima7673.api.localhost", + "sequ6424.www.invalid" + ], "related.ip": [ - "10.217.91.49", - "10.139.207.36" + "10.139.207.36", + "10.217.91.49" ], "related.user": [ "lumqui" @@ -766,6 +845,10 @@ "observer.vendor": "Symantec", "process.parent.name": "mquis", "process.ppid": 5040, + "related.hosts": [ + "tnulapa7580.www.domain", + "madminim6826.www.host" + ], "related.ip": [ "10.249.243.41" ], @@ -820,6 +903,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "ici182.invalid", + "caecat4678.www.home" + ], "rsa.internal.event_desc": "rem", "rsa.internal.messageid": "302449415", "rsa.misc.event_source": "quisn", @@ -851,6 +938,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "beat2952.internal.localhost" + ], "rsa.internal.event_desc": "iarchite", "rsa.internal.messageid": "302449410", "rsa.misc.event_source": "qua", @@ -880,6 +970,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "ured3428.www.corp", + "uames7663.internal.local" + ], "rsa.internal.event_desc": "taspe", "rsa.internal.messageid": "302776321", "rsa.misc.event_source": "oreeu", @@ -911,6 +1005,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "velillum6639.www5.local" + ], "rsa.internal.event_desc": "itinvo", "rsa.internal.messageid": "302449153", "rsa.misc.event_source": "Mal", @@ -940,6 +1037,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "dictasun3408.internal.invalid", + "onoru5767.internal.domain" + ], "rsa.internal.event_desc": "uam", "rsa.internal.messageid": "303235079", "rsa.misc.event_source": "dipisciv", @@ -1002,6 +1103,11 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "uipe6805.www5.domain", + "atisu6579.test", + "tqui1142.www5.domain" + ], "related.ip": [ "10.209.205.25", "10.185.64.46" @@ -1091,9 +1197,14 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "observer.version": "1.7457", + "related.hosts": [ + "udexerci6630.mail.test", + "isiut4530.localdomain", + "deomn904.www.home" + ], "related.ip": [ - "10.35.89.51", - "10.202.55.203" + "10.202.55.203", + "10.35.89.51" ], "related.user": [ "Quis" @@ -1149,6 +1260,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "niamqui7696.mail.test", + "taliqu701.www.localhost" + ], "rsa.internal.event_desc": "Traffic Redirection disabled.", "rsa.internal.messageid": "Traffic", "rsa.network.alias_host": [ @@ -1181,6 +1296,10 @@ "observer.vendor": "Symantec", "process.parent.name": "onnu", "process.ppid": 724, + "related.hosts": [ + "ngelits6213.internal.test", + "lumd4298.mail.localdomain" + ], "related.ip": [ "10.139.89.148" ], @@ -1263,9 +1382,13 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "tuserror810.www5.corp", + "uptate5787.api.local" + ], "related.ip": [ - "10.87.92.95", - "10.247.21.74" + "10.247.21.74", + "10.87.92.95" ], "related.user": [ "Sedutper" @@ -1313,6 +1436,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "ruredolo7392.internal.host", + "mipsu3757.www5.home" + ], "rsa.db.index": "oris", "rsa.internal.event_desc": "labor", "rsa.internal.messageid": "303235080", @@ -1365,6 +1492,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "ntmo4076.lan" + ], "rsa.internal.event_desc": "doconse", "rsa.internal.messageid": "302449158", "rsa.misc.event_source": "ationula", @@ -1414,6 +1544,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "amni48.internal.localdomain", + "alo6036.www5.local" + ], "rsa.internal.event_desc": "ita", "rsa.internal.messageid": "302710785", "rsa.misc.event_source": "mdolore", @@ -1447,6 +1581,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "tenatus4129.www.local", + "uredo4613.home" + ], "rsa.internal.event_desc": "olupta", "rsa.internal.messageid": "303235082", "rsa.misc.event_source": "upi", @@ -1498,6 +1636,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "mini3181.api.test" + ], "rsa.internal.event_desc": "mwrit", "rsa.internal.messageid": "302452819", "rsa.misc.event_source": "ommodoc", @@ -1533,6 +1674,10 @@ "observer.vendor": "Symantec", "observer.version": "1.3638", "process.name": "remap", + "related.hosts": [ + "rsitam2337.mail.localdomain", + "iduntu7302.www.invalid" + ], "related.ip": [ "10.8.143.229" ], @@ -1557,8 +1702,8 @@ "rsa.misc.version": "1.3638", "rsa.misc.virusname": "isqu", "rsa.network.alias_host": [ - "rsitam2337.mail.localdomain", - "assit1598.www5.invalid" + "assit1598.www5.invalid", + "rsitam2337.mail.localdomain" ], "rsa.network.domain": "ema7531.api.example", "rsa.threat.threat_category": "isqu", @@ -1589,6 +1734,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "equu7361.www5.localdomain" + ], "rsa.internal.event_desc": "pta", "rsa.internal.messageid": "302449178", "rsa.misc.event_source": "non", @@ -1623,6 +1771,10 @@ "observer.vendor": "Symantec", "process.parent.name": "ipsum", "process.ppid": 885, + "related.hosts": [ + "uisno4545.www5.corp", + "iono5777.invalid" + ], "related.ip": [ "10.137.5.67" ], @@ -1726,6 +1878,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "adminima6097.corp", + "agnamali3222.example" + ], "related.ip": [ "10.66.203.117", "10.92.93.236" @@ -1777,6 +1933,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "equ2353.internal.local", + "eratv6521.example" + ], "rsa.internal.event_desc": "dolorsi", "rsa.internal.messageid": "302452807", "rsa.misc.event_source": "tlaboree", @@ -1810,6 +1970,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "bori7611.invalid", + "iset1992.internal.example" + ], "rsa.internal.event_desc": "imadmini", "rsa.internal.messageid": "302776321", "rsa.misc.event_source": "ffic", @@ -1860,6 +2024,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "ntin2655.www.localdomain" + ], "rsa.internal.event_desc": "epo", "rsa.internal.messageid": "302449413", "rsa.misc.event_source": "itasper", @@ -1887,6 +2054,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "siuta395.home" + ], "rsa.internal.event_desc": "iumdolor", "rsa.internal.messageid": "302449414", "rsa.misc.event_source": "fugiat", @@ -1914,6 +2084,9 @@ "observer.product": "oluptate", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "umdolore5014.api.lan" + ], "rsa.internal.event_desc": "Configuration Change", "rsa.internal.messageid": "Configuration", "rsa.misc.severity": "low", @@ -1939,6 +2112,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "tisund4302.www5.local", + "vel1911.lan" + ], "related.ip": [ "10.147.225.53" ], @@ -2032,6 +2209,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "evelites2448.www.host", + "quisnost7124.api.domain" + ], "rsa.internal.event_desc": "odtem", "rsa.internal.messageid": "303169540", "rsa.misc.event_source": "uidexea", @@ -2076,6 +2257,11 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "observer.version": "1.132", + "related.hosts": [ + "iatquovo4868.test", + "madmi2948.internal.lan", + "edi6108.internal.domain" + ], "related.ip": [ "10.72.200.11", "10.132.171.142" @@ -2137,6 +2323,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "reverita794.mail.domain" + ], "related.user": [ "nis" ], @@ -2170,6 +2359,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "lillumq4387.www5.localhost" + ], "rsa.internal.event_desc": "sse", "rsa.internal.messageid": "302452743", "rsa.misc.event_source": "turExce", @@ -2199,6 +2391,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "ipi563.api.lan" + ], "related.user": [ "anti" ], @@ -2232,6 +2427,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "uptatemU1147.mail.corp", + "mqu3327.internal.host" + ], "rsa.internal.event_desc": "Connection reset.", "rsa.internal.messageid": "Connection", "rsa.network.alias_host": [ @@ -2260,6 +2459,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "emp42.mail.test", + "ecatcupi4759.internal.local" + ], "rsa.internal.event_desc": "ritati", "rsa.internal.messageid": "302452736", "rsa.misc.event_source": "tenb", @@ -2312,6 +2515,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "ipsu7538.www5.host" + ], "rsa.internal.event_desc": "squa", "rsa.internal.messageid": "302450944", "rsa.misc.event_source": "lamc", @@ -2368,9 +2574,13 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "iusmo5734.internal.invalid", + "dita2048.www5.home" + ], "related.ip": [ - "10.40.133.90", - "10.171.13.85" + "10.171.13.85", + "10.40.133.90" ], "related.user": [ "bor" @@ -2441,6 +2651,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "ngelits2743.www5.host", + "inrepr7369.www.domain" + ], "rsa.internal.event_desc": "tatemac", "rsa.internal.messageid": "302452816", "rsa.misc.event_source": "lore", @@ -2474,6 +2688,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "olupt717.invalid", + "alorum1804.mail.test" + ], "rsa.internal.event_desc": "ano", "rsa.internal.messageid": "302452808", "rsa.misc.event_source": "psum", @@ -2507,6 +2725,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "queporr7029.internal.test" + ], "related.user": [ "unti" ], @@ -2569,9 +2790,13 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "upidat1328.internal.localhost", + "urExcep6087.www5.localhost" + ], "related.ip": [ - "10.31.231.57", - "10.155.163.6" + "10.155.163.6", + "10.31.231.57" ], "related.user": [ "norumetM" @@ -2641,6 +2866,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "tesseci33.internal.example" + ], "rsa.internal.event_desc": "nost", "rsa.internal.messageid": "302452816", "rsa.misc.event_source": "met", @@ -2668,6 +2896,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "alo7567.www5.test" + ], "rsa.internal.event_desc": "quisnos", "rsa.internal.messageid": "302452736", "rsa.misc.event_source": "proident", @@ -2695,6 +2926,9 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "process.name": "sumq.exe", + "related.hosts": [ + "idest4209.api.domain" + ], "rsa.internal.event_desc": "The process can not lock the process status table", "rsa.internal.messageid": "275", "rsa.misc.reference_id": "275", @@ -2730,9 +2964,14 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "exer3621.www5.test", + "tisetqua6007.api.home", + "its1301.www.test" + ], "related.ip": [ - "10.216.134.62", - "10.134.6.246" + "10.134.6.246", + "10.216.134.62" ], "related.user": [ "ntexpl" @@ -2789,6 +3028,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "ventorev7571.www5.corp", + "Remote:" + ], "related.ip": [ "10.202.96.232" ], @@ -2832,6 +3075,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "umSectio5136.www.local", + "untexpli391.internal.domain" + ], "rsa.internal.event_desc": "ipitlabo", "rsa.internal.messageid": "302449156", "rsa.misc.event_source": "num", @@ -2874,6 +3121,11 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "quide2790.mail.invalid", + "eniamqu1863.api.lan", + "quipex2615.www5.localhost" + ], "related.ip": [ "10.56.95.160", "10.29.149.77" @@ -2941,6 +3193,11 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "ugia146.www5.corp", + "tionul7555.www5.lan", + "remipsum5485.api.local" + ], "related.ip": [ "10.173.98.74", "10.70.185.238" @@ -2998,6 +3255,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "ilmoles4582.api.lan" + ], "related.user": [ "dolor" ], @@ -3031,6 +3291,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "giatquo3267.www.lan", + "quiado6095.mail.localhost" + ], "rsa.internal.event_desc": "Connected to Management Server", "rsa.internal.messageid": "Connected", "rsa.network.alias_host": [ @@ -3059,6 +3323,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "odite7850.internal.corp", + "cidun7605.www5.example" + ], "related.ip": [ "10.201.112.171" ], @@ -3111,6 +3379,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "ssitasp7492.test" + ], "rsa.internal.event_desc": "eserun", "rsa.internal.messageid": "302448900", "rsa.misc.event_source": "ssitaspe", @@ -3140,6 +3411,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "estq2131.api.localdomain", + "rem6392.internal.domain" + ], "rsa.internal.event_desc": "did", "rsa.internal.messageid": "302452802", "rsa.misc.event_source": "upt", @@ -3173,6 +3448,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "giatq7007.www.domain", + "upi3.www.home" + ], "rsa.internal.event_desc": "caecatc", "rsa.internal.messageid": "303235079", "rsa.misc.event_source": "iquaUt", @@ -3207,9 +3486,13 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "itess2258.api.lan", + "ianonnu4387.www.domain" + ], "related.ip": [ - "10.59.140.108", - "10.90.66.238" + "10.90.66.238", + "10.59.140.108" ], "related.user": [ "nulap" @@ -3270,6 +3553,11 @@ "observer.type": "Anti-Virus", "observer.vendor": "Symantec", "observer.version": "1.6400", + "related.hosts": [ + "epteur5858.www5.local", + "rin5257.www5.test", + "ess3012.mail.test" + ], "related.ip": [ "10.38.136.160", "10.45.116.216" @@ -3326,6 +3614,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "aed3193.api.lan" + ], "rsa.internal.event_desc": "equa", "rsa.internal.messageid": "302449409", "rsa.misc.event_source": "sunti", @@ -3373,6 +3664,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "rumSec5271.home" + ], "rsa.internal.event_desc": "unt", "rsa.internal.messageid": "302449166", "rsa.misc.event_source": "evolupt", @@ -3402,6 +3696,9 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "volu7499.www5.localhost" + ], "related.user": [ "sedqui" ], @@ -3437,6 +3734,10 @@ "observer.product": "Endpoint", "observer.type": "Anti-Virus", "observer.vendor": "Symantec", + "related.hosts": [ + "oNem5850.www.example", + "gnama2349.mail.domain" + ], "rsa.internal.event_desc": "ccusan", "rsa.internal.messageid": "302449409", "rsa.misc.event_source": "ntiu", diff --git a/x-pack/filebeat/module/tomcat/log/config/input.yml b/x-pack/filebeat/module/tomcat/log/config/input.yml index 256f657133f..d9f1e4a1452 100644 --- a/x-pack/filebeat/module/tomcat/log/config/input.yml +++ b/x-pack/filebeat/module/tomcat/log/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml b/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml index 9983081e838..37cb7678eca 100644 --- a/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml @@ -53,6 +53,21 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{rsa.web.fqdn}}' + allow_duplicates: false + if: ctx?.rsa?.web?.fqdn != null + - append: + field: related.hosts + value: '{{rsa.web.web_ref_domain}}' + allow_duplicates: false + if: ctx?.rsa?.web?.web_ref_domain != null + - append: + field: related.hosts + value: '{{url.domain}}' + allow_duplicates: false + if: ctx?.url?.domain != null on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json index eb9298f3d1b..51d46cc753a 100644 --- a/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json +++ b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json @@ -14,6 +14,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.com/illumqui/ventore.html?min=ite#utl", + "mail.example.net", + "example.com" + ], "related.ip": [ "10.251.224.219" ], @@ -68,6 +73,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.net/mdolo/mqui.htm?sumdo=litesse#orev", + "mail.example.com", + "www5.example.net" + ], "related.ip": [ "10.196.153.12" ], @@ -121,6 +131,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.com/tetur/idolor.html?ntex=eius#luptat", + "www.example.com", + "internal.example.com" + ], "related.ip": [ "10.156.194.38" ], @@ -177,6 +192,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.org/nci/ofdeFin.gif?amco=exe#iatu", + "mail.example.com", + "www5.example.org" + ], "related.ip": [ "10.196.118.192" ], @@ -231,6 +251,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.com/aqui/radipis.jpg?llumd=enatuse#magn", + "internal.example.net", + "internal.example.com" + ], "related.ip": [ "10.246.209.145" ], @@ -285,6 +310,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.com/omnis/antium.txt?lupta=iusmodt#doloreeu", + "www5.example.org", + "internal.example.com" + ], "related.ip": [ "10.114.191.225" ], @@ -340,6 +370,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.net/uidolore/niamqu.gif?iat=tevelit#nsequat", + "api.example.com", + "www5.example.net" + ], "related.ip": [ "10.38.77.13" ], @@ -397,6 +432,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/idexea/riat.txt?tvol=moll#tatione", + "mail.example.org", + "www.example.org" + ], "related.ip": [ "10.11.201.109" ], @@ -453,6 +493,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.org/toccae/tatno.gif?taliqu=temUten#ccusan", + "example.org", + "api.example.org" + ], "related.ip": [ "10.182.166.181" ], @@ -507,6 +552,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.net/atuse/ddoeiu.gif?idolore=onse#liq", + "internal.example.com", + "mail.example.net" + ], "related.ip": [ "10.185.126.247" ], @@ -560,6 +610,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.com/idestla/Nemoeni.htm?taed=lup#remeumf", + "mail.example.net", + "example.com" + ], "related.ip": [ "10.72.114.23" ], @@ -617,6 +672,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/nimadmin/ditautfu.html?lpa=entsu#dun", + "internal.example.net", + "example.net" + ], "related.ip": [ "10.129.241.147" ], @@ -674,6 +734,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.com/ono/stru.jpg?emaperi=tame#tinvol", + "internal.example.net", + "www5.example.com" + ], "related.ip": [ "10.185.101.76" ], @@ -730,6 +795,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/tion/eataev.htm?uiineavo=tisetq#irati", + "www.example.org", + "example.net" + ], "related.ip": [ "10.57.170.140" ], @@ -784,6 +854,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.com/isno/taliq.htm?nnu=dolo#Loremip", + "internal.example.net", + "internal.example.com" + ], "related.ip": [ "10.33.153.47" ], @@ -839,6 +914,10 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.net/mdolore/rQuisau.gif?iavolu=den#tutla", + "internal.example.net" + ], "related.ip": [ "10.116.104.101" ], @@ -895,6 +974,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.com/oidentsu/atiset.jpg?ntor=lpaqui#sitame", + "example.com", + "internal.example.com" + ], "related.ip": [ "10.202.194.67" ], @@ -950,6 +1034,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.com/etconse/tincu.txt?lit=asun#estia", + "www.example.com", + "www5.example.com" + ], "related.ip": [ "10.153.111.103" ], @@ -1006,6 +1095,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.org/eriamea/amre.htm?magni=pisciv#iquidex", + "internal.example.net", + "www5.example.org" + ], "related.ip": [ "10.52.186.29" ], @@ -1061,6 +1155,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/iutali/fdeFi.jpg?liquide=etdol#uela", + "example.net", + "www.example.org" + ], "related.ip": [ "10.209.182.237" ], @@ -1118,6 +1217,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.net/itatione/isnis.html?oluptate=issus#osamn", + "api.example.org", + "mail.example.net" + ], "related.ip": [ "10.63.194.87" ], @@ -1174,6 +1278,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/emvel/tmollita.htm?numqua=veni#eveli", + "www5.example.org", + "www.example.org" + ], "related.ip": [ "10.62.191.18" ], @@ -1228,6 +1337,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/nisi/dant.txt?ecte=tinvolu#iurer", + "example.org", + "example.net" + ], "related.ip": [ "10.238.164.29" ], @@ -1282,6 +1396,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.com/sintocc/tlabor.txt?tDuisaut=oinBC#quameius", + "example.com", + "internal.example.com" + ], "related.ip": [ "10.155.230.17" ], @@ -1337,6 +1456,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/officiad/itam.html?madmi=tur#roi", + "mail.example.net", + "example.net" + ], "related.ip": [ "10.102.229.102" ], @@ -1394,6 +1518,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.org/tor/qui.txt?eavolup=fugiatn#docon", + "www5.example.org", + "mail.example.org" + ], "related.ip": [ "10.194.14.7" ], @@ -1450,6 +1579,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.net/roid/inibusB.jpg?Nemoenim=squirati#Sedutp", + "example.com", + "api.example.net" + ], "related.ip": [ "10.99.0.226" ], @@ -1504,6 +1638,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.net/str/idolore.txt?eetdolo=cteturad#untut", + "api.example.org", + "www.example.net" + ], "related.ip": [ "10.107.174.213" ], @@ -1559,6 +1698,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.org/iscinge/ofdeFini.jpg?molli=velitse#oditem", + "www.example.org", + "mail.example.org" + ], "related.ip": [ "10.84.25.23" ], @@ -1615,6 +1759,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/epre/tobeata.html?quia=iduntu#idestlab", + "api.example.com", + "www.example.org" + ], "related.ip": [ "10.193.143.108" ], @@ -1670,6 +1819,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.com/mexe/its.htm?ice=oles#edic", + "example.org", + "example.com" + ], "related.ip": [ "10.190.51.22" ], @@ -1727,6 +1881,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.com/velitess/naali.htm?nre=veli#volupta", + "www5.example.com", + "www.example.com" + ], "related.ip": [ "10.194.90.130" ], @@ -1779,6 +1938,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/xeacomm/cinge.txt?apariat=vitaedi#lorsita", + "internal.example.com", + "www.example.org" + ], "related.ip": [ "10.10.213.83" ], @@ -1834,6 +1998,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.org/texpli/exeacom.jpg?rita=esseci#tametcon", + "mail.example.net", + "api.example.org" + ], "related.ip": [ "10.52.125.9" ], @@ -1890,6 +2059,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.net/ibusBon/ven.gif?nsequat=doloreme#dun", + "www5.example.org", + "api.example.net" + ], "related.ip": [ "10.19.17.202" ], @@ -1945,6 +2119,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.org/oconsequ/edquiac.gif?preh=ercit#etMal", + "api.example.com", + "mail.example.org" + ], "related.ip": [ "10.195.64.5" ], @@ -2002,6 +2181,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.com/llamc/nte.htm?utali=porinc#tetur", + "mail.example.com", + "internal.example.com" + ], "related.ip": [ "10.209.77.194" ], @@ -2058,6 +2242,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/ites/isetq.gif?nisiut=tur#avolupt", + "mail.example.org", + "example.net" + ], "related.ip": [ "10.168.6.90" ], @@ -2112,6 +2301,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.com/acommod/itsedd.html?admin=stenatu#inibu", + "api.example.org", + "mail.example.com" + ], "related.ip": [ "10.89.137.238" ], @@ -2166,6 +2360,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.org/Nequepor/eirure.htm?idid=tesse#sequat", + "www5.example.net", + "example.org" + ], "related.ip": [ "10.246.61.213" ], @@ -2221,6 +2420,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/tanimi/rumSecti.jpg?emporain=ntiumto#umetMalo", + "www5.example.net", + "www.example.org" + ], "related.ip": [ "10.117.44.138" ], @@ -2277,6 +2481,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/temUt/ptassita.gif?uamnihi=risnis#uov", + "www.example.net", + "example.net" + ], "related.ip": [ "10.69.30.196" ], @@ -2329,6 +2538,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.com/dictasun/abore.txt?modocon=ipsu#ntNeq", + "example.org", + "api.example.com" + ], "related.ip": [ "10.135.91.88" ], @@ -2384,6 +2598,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/Sedutpe/prehen.html?rcit=aecatcup#olabor", + "api.example.org", + "example.net" + ], "related.ip": [ "10.81.45.174" ], @@ -2440,6 +2659,10 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/umetMal/asper.htm?metcons=itasper#uae", + "www.example.org" + ], "related.ip": [ "10.87.179.233" ], @@ -2494,6 +2717,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.net/mquisn/queips.gif?emUte=molestia#quir", + "example.com", + "api.example.net" + ], "related.ip": [ "10.198.57.130" ], @@ -2548,6 +2776,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.net/yCic/nder.jpg?itanim=nesciun#saqu", + "www.example.org", + "www.example.net" + ], "related.ip": [ "10.218.0.197" ], @@ -2603,6 +2836,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.com/ecatcupi/uamei.html?nreprehe=onse#olorem", + "example.com", + "mail.example.com" + ], "related.ip": [ "10.123.199.198" ], @@ -2660,6 +2898,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.net/ection/roquisqu.html?ceroinB=nim#utaliqu", + "example.org", + "internal.example.net" + ], "related.ip": [ "10.29.119.245" ], @@ -2717,6 +2960,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.net/iutali/itat.txt?Finibus=radi#xeacom", + "www.example.org", + "mail.example.net" + ], "related.ip": [ "10.130.175.17" ], @@ -2773,6 +3021,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.net/lmolesti/apariatu.htm?moe=msequ#uat", + "internal.example.org", + "mail.example.net" + ], "related.ip": [ "10.166.90.130" ], @@ -2828,6 +3081,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.org/ratv/alorum.jpg?tali=BCS#qui", + "internal.example.org", + "api.example.org" + ], "related.ip": [ "10.248.111.207" ], @@ -2884,6 +3142,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.net/gitse/ugitse.jpg?tvolup=tdolore#ventore", + "api.example.net", + "internal.example.net" + ], "related.ip": [ "10.185.37.32" ], @@ -2938,6 +3201,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.org/pisc/urEx.html?rautod=olest#eataev", + "internal.example.com", + "example.org" + ], "related.ip": [ "10.5.194.202" ], @@ -2993,6 +3261,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.com/aconse/prehe.gif?diduntu=eiusmod#itation", + "www.example.org", + "www5.example.com" + ], "related.ip": [ "10.183.34.1" ], @@ -3049,6 +3322,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.net/reetdolo/rationev.html?reetdol=uelauda#ema", + "internal.example.com", + "mail.example.net" + ], "related.ip": [ "10.101.163.40" ], @@ -3104,6 +3382,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.com/mUteni/quira.htm?ore=tation#loinve", + "internal.example.com", + "www5.example.com" + ], "related.ip": [ "10.216.188.152" ], @@ -3160,6 +3443,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.org/setquas/minim.gif?tutlabor=reseosq#gna", + "mail.example.net", + "www5.example.org" + ], "related.ip": [ "10.94.140.77" ], @@ -3212,6 +3500,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.com/laudanti/umiurer.txt?rsitvolu=mnisi#usmo", + "mail.example.org", + "www.example.com" + ], "related.ip": [ "10.223.205.204" ], @@ -3267,6 +3560,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.org/ici/nisiuta.jpg?itae=dtempo#atnula", + "example.com", + "mail.example.org" + ], "related.ip": [ "10.85.137.156" ], @@ -3324,6 +3622,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.com/eseruntm/lpaquiof.html?magnaal=uscip#umS", + "www5.example.net", + "mail.example.com" + ], "related.ip": [ "10.12.54.142" ], @@ -3380,6 +3683,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/labori/porai.gif?utali=sed#xeac", + "internal.example.org", + "example.net" + ], "related.ip": [ "10.158.6.52" ], @@ -3435,6 +3743,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.org/orissu/fic.gif?ese=mmodoco#amni", + "example.com", + "www5.example.org" + ], "related.ip": [ "10.195.160.182" ], @@ -3491,6 +3804,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.com/iuntNeq/eddoei.jpg?sseq=eriam#pernat", + "example.net", + "mail.example.com" + ], "related.ip": [ "10.20.68.117" ], @@ -3546,6 +3864,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.com/tanimid/onpr.gif?gelitse=oremqu#idex", + "www5.example.org", + "www5.example.com" + ], "related.ip": [ "10.94.136.235" ], @@ -3603,6 +3926,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.net/ntorever/pisciv.gif?eritq=rehen#ipsamvol", + "example.com", + "www.example.net" + ], "related.ip": [ "10.152.11.26" ], @@ -3656,6 +3984,10 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.com/quu/xeac.htm?abor=oreverit#scip", + "www5.example.com" + ], "related.ip": [ "10.82.118.95" ], @@ -3712,6 +4044,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.net/mini/Loremip.html?tur=atnonpr#ita", + "www5.example.net", + "www.example.net" + ], "related.ip": [ "10.187.152.213" ], @@ -3767,6 +4104,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.net/duntutla/lamco.txt?isci=Dui#reetdo", + "internal.example.net", + "www.example.net" + ], "related.ip": [ "10.98.71.45" ], @@ -3823,6 +4165,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.net/tev/nre.html?occaeca=eturadip#ent", + "www5.example.org", + "www5.example.net" + ], "related.ip": [ "10.86.123.33" ], @@ -3877,6 +4224,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.net/uamnih/nseq.txt?uidolo=umdolore#dmi", + "api.example.net", + "www5.example.net" + ], "related.ip": [ "10.6.112.183" ], @@ -3932,6 +4284,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/umdolor/isiu.html?mmodi=snostr#eniamqu", + "www5.example.org", + "example.net" + ], "related.ip": [ "10.227.156.143" ], @@ -3985,6 +4342,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.org/ibusBo/untincu.jpg?lesti=sintocca#mipsumqu", + "example.net", + "example.org" + ], "related.ip": [ "10.124.129.248" ], @@ -4042,6 +4404,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.org/magnaa/sumquiad.gif?oluptate=Duisa#consequa", + "www5.example.net", + "www5.example.org" + ], "related.ip": [ "10.173.125.112" ], @@ -4098,6 +4465,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/evolup/rvelil.gif?eavolup=ipsumq#evit", + "api.example.net", + "www.example.org" + ], "related.ip": [ "10.37.156.140" ], @@ -4150,6 +4522,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.com/oremip/its.jpg?iavol=natuserr#ostrudex", + "www5.example.org", + "example.com" + ], "related.ip": [ "10.121.225.135" ], @@ -4204,6 +4581,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/animid/upta.jpg?onnumqua=quioff#iuntN", + "mail.example.net", + "www.example.org" + ], "related.ip": [ "10.123.68.56" ], @@ -4259,6 +4641,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.net/itesse/expl.html?prehende=lup#tpers", + "mail.example.net", + "api.example.net" + ], "related.ip": [ "10.63.56.164" ], @@ -4316,6 +4703,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/deritinv/evelite.html?iav=odico#rsint", + "example.com", + "example.net" + ], "related.ip": [ "10.62.10.137" ], @@ -4373,6 +4765,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.org/tseddoei/teursint.htm?remagnaa=lamcolab#ceroinB", + "api.example.net", + "example.org" + ], "related.ip": [ "10.89.154.115" ], @@ -4429,6 +4826,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www5.example.com/ciad/ugiatqu.gif?turveli=isciv#natus", + "api.example.org", + "www5.example.com" + ], "related.ip": [ "10.122.252.130" ], @@ -4483,6 +4885,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.com/olore/ntutlab.htm?ameaquei=gnama#esciun", + "www.example.net", + "api.example.com" + ], "related.ip": [ "10.195.152.53" ], @@ -4534,6 +4941,10 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.com/rvelil/adese.htm?incidi=aedictas#rumetMa", + "mail.example.com" + ], "related.ip": [ "10.9.255.204" ], @@ -4591,6 +5002,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/oremi/ectobeat.gif?oreeu=uasiarch#Malor", + "internal.example.net", + "www.example.org" + ], "related.ip": [ "10.214.235.133" ], @@ -4648,6 +5064,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.com/orsitam/tiset.jpg?ati=rauto#doloreeu", + "api.example.org", + "api.example.com" + ], "related.ip": [ "10.5.134.204" ], @@ -4704,6 +5125,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.org/rep/mveni.txt?utpers=num#ctetura", + "internal.example.com", + "example.org" + ], "related.ip": [ "10.144.111.42" ], @@ -4758,6 +5184,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.net/adm/snostr.jpg?tec=itaspe#con", + "www.example.com", + "example.net" + ], "related.ip": [ "10.122.0.80" ], @@ -4813,6 +5244,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.com/ccusant/epteurs.htm?oidentsu=oditau#onsec", + "www.example.net", + "mail.example.com" + ], "related.ip": [ "10.165.33.19" ], @@ -4870,6 +5306,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.org/onemul/trudexe.txt?ura=oreeufug#Quisa", + "internal.example.org", + "mail.example.org" + ], "related.ip": [ "10.87.92.17" ], @@ -4926,6 +5367,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.com/lorese/olupta.jpg?onsec=idestl#litani", + "internal.example.org", + "example.com" + ], "related.ip": [ "10.51.52.203" ], @@ -4981,6 +5427,10 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.net/llitani/uscipit.html?etcons=etco#iuntN", + "internal.example.net" + ], "related.ip": [ "10.0.211.86" ], @@ -5037,6 +5487,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://mail.example.net/ptat/mipsu.htm?eturadip=amquaera#rsitamet", + "example.net", + "mail.example.net" + ], "related.ip": [ "10.106.34.244" ], @@ -5091,6 +5546,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/quae/periam.html?emoenimi=iquipex#mqu", + "example.net", + "www.example.org" + ], "related.ip": [ "10.191.210.188" ], @@ -5145,6 +5605,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.com/bori/dipi.gif?utf=dolor#dexe", + "www.example.org", + "www.example.com" + ], "related.ip": [ "10.2.38.49" ], @@ -5196,6 +5661,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.com/iat/tqui.gif?utaliqui=emse#emqui", + "mail.example.com", + "example.com" + ], "related.ip": [ "10.66.92.90" ], @@ -5253,6 +5723,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://example.com/caboN/imipsam.jpg?catcupid=ritquiin#quisnost", + "mail.example.com", + "example.com" + ], "related.ip": [ "10.97.108.108" ], @@ -5310,6 +5785,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://api.example.net/uiaco/aliqu.txt?udexerci=uae#imveni", + "www5.example.org", + "api.example.net" + ], "related.ip": [ "10.147.147.248" ], @@ -5367,6 +5847,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.org/roinBCSe/eetdolor.html?tla=iaconseq#sed", + "api.example.com", + "www.example.org" + ], "related.ip": [ "10.152.190.61" ], @@ -5424,6 +5909,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://www.example.net/tvolu/imve.txt?gnaaliq=quam#deriti", + "api.example.org", + "www.example.net" + ], "related.ip": [ "10.129.232.105" ], @@ -5480,6 +5970,11 @@ "observer.product": "TomCat", "observer.type": "Web", "observer.vendor": "Apache", + "related.hosts": [ + "https://internal.example.org/teturadi/radipi.gif?upidatat=mod#niamqui", + "api.example.net", + "internal.example.org" + ], "related.ip": [ "10.12.173.112" ], diff --git a/x-pack/filebeat/module/zscaler/zia/config/input.yml b/x-pack/filebeat/module/zscaler/zia/config/input.yml index 05e5f5c886e..f2963a231f1 100644 --- a/x-pack/filebeat/module/zscaler/zia/config/input.yml +++ b/x-pack/filebeat/module/zscaler/zia/config/input.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml b/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml index aae73dd9ded..58d755aa4e9 100644 --- a/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml @@ -53,6 +53,16 @@ processors: field: destination.as.organization_name target_field: destination.as.organization.name ignore_missing: true + - append: + field: related.hosts + value: '{{rsa.web.fqdn}}' + allow_duplicates: false + if: ctx?.rsa?.web?.fqdn != null + - append: + field: related.hosts + value: '{{host.name}}' + allow_duplicates: false + if: ctx?.host?.name != null on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json index 83ab2f5f5b7..b7bd436496b 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json @@ -22,9 +22,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "rci737.www5.example" + ], "related.ip": [ - "10.206.191.17", - "10.176.10.114" + "10.176.10.114", + "10.206.191.17" ], "related.user": [ "sumdo" @@ -38,8 +41,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ntium", "rsa.misc.action": [ - "pisciv", - "Blocked" + "Blocked", + "pisciv" ], "rsa.misc.category": "umq", "rsa.misc.filter": "oremi", @@ -93,9 +96,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "eosquir5191.www.example" + ], "related.ip": [ - "10.173.22.152", - "10.26.46.95" + "10.26.46.95", + "10.173.22.152" ], "related.user": [ "eataevi" @@ -109,8 +115,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "luptat", "rsa.misc.action": [ - "tur", - "Allowed" + "Allowed", + "tur" ], "rsa.misc.category": "eius", "rsa.misc.filter": "ameaqu", @@ -166,9 +172,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "orsitame3262.domain" + ], "related.ip": [ - "10.204.86.149", - "10.254.146.57" + "10.254.146.57", + "10.204.86.149" ], "related.user": [ "tenima" @@ -182,8 +191,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uptassi", "rsa.misc.action": [ - "Blocked", - "giatq" + "giatq", + "Blocked" ], "rsa.misc.category": "llu", "rsa.misc.filter": "tconsec", @@ -239,9 +248,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tempor4496.www.localdomain" + ], "related.ip": [ - "10.103.246.190", - "10.252.125.53" + "10.252.125.53", + "10.103.246.190" ], "related.user": [ "equun" @@ -312,9 +324,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ore2933.www.test" + ], "related.ip": [ - "10.136.153.149", - "10.61.78.108" + "10.61.78.108", + "10.136.153.149" ], "related.user": [ "ercit" @@ -328,8 +343,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "inim", "rsa.misc.action": [ - "Blocked", - "reetdolo" + "reetdolo", + "Blocked" ], "rsa.misc.category": "osquir", "rsa.misc.filter": "ipit", @@ -385,9 +400,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ollit4105.mail.localdomain" + ], "related.ip": [ - "10.66.250.92", - "10.183.16.166" + "10.183.16.166", + "10.66.250.92" ], "related.user": [ "tessec" @@ -458,9 +476,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "cup1793.local" + ], "related.ip": [ - "10.123.104.59", - "10.243.224.205" + "10.243.224.205", + "10.123.104.59" ], "related.user": [ "xercitat" @@ -531,9 +552,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "icab4668.local" + ], "related.ip": [ - "10.119.185.63", - "10.74.17.5" + "10.74.17.5", + "10.119.185.63" ], "related.user": [ "erc" @@ -547,8 +571,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tame", "rsa.misc.action": [ - "Blocked", - "nsec" + "nsec", + "Blocked" ], "rsa.misc.category": "emaperi", "rsa.misc.filter": "rehe", @@ -604,6 +628,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "aperia4409.www5.invalid" + ], "related.ip": [ "10.78.151.178", "10.25.192.202" @@ -677,6 +704,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "sitvolup368.internal.host" + ], "related.ip": [ "10.135.225.244", "10.71.170.37" @@ -693,8 +723,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ihilm", "rsa.misc.action": [ - "psaquae", - "Allowed" + "Allowed", + "psaquae" ], "rsa.misc.category": "eFinib", "rsa.misc.filter": "inesci", @@ -750,6 +780,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ite2026.www.invalid" + ], "related.ip": [ "10.19.145.131", "10.223.247.86" @@ -766,8 +799,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "sci", "rsa.misc.action": [ - "emseq", - "Allowed" + "Allowed", + "emseq" ], "rsa.misc.category": "exercit", "rsa.misc.filter": "taevit", @@ -823,9 +856,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "radipisc7020.home" + ], "related.ip": [ - "10.181.80.139", - "10.2.53.125" + "10.2.53.125", + "10.181.80.139" ], "related.user": [ "ihilmo" @@ -839,8 +875,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dolorem", "rsa.misc.action": [ - "lorsitam", - "Allowed" + "Allowed", + "lorsitam" ], "rsa.misc.category": "proide", "rsa.misc.filter": "pariatu", @@ -896,9 +932,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "uamei2493.www.test" + ], "related.ip": [ - "10.167.98.76", - "10.31.240.6" + "10.31.240.6", + "10.167.98.76" ], "related.user": [ "ratvolu" @@ -969,6 +1008,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "piscin6866.internal.host" + ], "related.ip": [ "10.135.160.125", "10.0.55.9" @@ -985,8 +1027,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iurer", "rsa.misc.action": [ - "Allowed", - "ionevo" + "ionevo", + "Allowed" ], "rsa.misc.category": "tinvolu", "rsa.misc.filter": "idex", @@ -1042,6 +1084,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "spi3544.www.host" + ], "related.ip": [ "10.63.250.128", "10.111.187.12" @@ -1058,8 +1103,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "nnum", "rsa.misc.action": [ - "Allowed", - "ntoccae" + "ntoccae", + "Allowed" ], "rsa.misc.category": "tium", "rsa.misc.filter": "uteirure", @@ -1115,9 +1160,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tlab5981.www.host" + ], "related.ip": [ - "10.252.124.150", - "10.5.126.127" + "10.5.126.127", + "10.252.124.150" ], "related.user": [ "inibusB" @@ -1188,6 +1236,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "upida508.example" + ], "related.ip": [ "10.201.171.120", "10.91.126.231" @@ -1261,6 +1312,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "oditem5255.api.localdomain" + ], "related.ip": [ "10.107.251.87", "10.135.82.97" @@ -1277,8 +1331,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "quid", "rsa.misc.action": [ - "Allowed", - "itecto" + "itecto", + "Allowed" ], "rsa.misc.category": "quam", "rsa.misc.filter": "adeser", @@ -1334,6 +1388,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "uamei2389.internal.example" + ], "related.ip": [ "10.215.205.216", "10.31.198.58" @@ -1407,6 +1464,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "eacommod1930.internal.lan" + ], "related.ip": [ "10.229.83.165", "10.29.155.171" @@ -1423,8 +1483,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vitaedi", "rsa.misc.action": [ - "Allowed", - "llitanim" + "llitanim", + "Allowed" ], "rsa.misc.category": "apariat", "rsa.misc.filter": "tasnulap", @@ -1480,6 +1540,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tem6984.www5.domain" + ], "related.ip": [ "10.161.148.64", "10.129.192.145" @@ -1553,6 +1616,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "lapariat7287.internal.host" + ], "related.ip": [ "10.203.65.161", "10.7.200.140" @@ -1569,8 +1635,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tdol", "rsa.misc.action": [ - "nte", - "Allowed" + "Allowed", + "nte" ], "rsa.misc.category": "adeseru", "rsa.misc.filter": "mac", @@ -1626,6 +1692,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "licabo1493.api.corp" + ], "related.ip": [ "10.86.22.67", "10.218.98.29" @@ -1699,9 +1768,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "stenatu4844.www.invalid" + ], "related.ip": [ - "10.24.111.229", - "10.39.31.115" + "10.39.31.115", + "10.24.111.229" ], "related.user": [ "fugi" @@ -1715,8 +1787,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ulpa", "rsa.misc.action": [ - "Allowed", - "gnaal" + "gnaal", + "Allowed" ], "rsa.misc.category": "nte", "rsa.misc.filter": "pid", @@ -1772,6 +1844,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "sitam5077.internal.host" + ], "related.ip": [ "10.32.39.220", "10.179.210.218" @@ -1845,9 +1920,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "dquia107.www.test" + ], "related.ip": [ - "10.88.172.34", - "10.128.173.19" + "10.128.173.19", + "10.88.172.34" ], "related.user": [ "agnaaliq" @@ -1918,6 +1996,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "lloin4019.www.localhost" + ], "related.ip": [ "10.130.241.232", "10.238.224.49" @@ -1934,8 +2015,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mnisiut", "rsa.misc.action": [ - "Allowed", - "mod" + "mod", + "Allowed" ], "rsa.misc.category": "uiinea", "rsa.misc.filter": "aturQu", @@ -1991,6 +2072,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tamet6317.www.host" + ], "related.ip": [ "10.2.67.127", "10.115.53.31" @@ -2007,8 +2091,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "quatD", "rsa.misc.action": [ - "Allowed", - "tatem" + "tatem", + "Allowed" ], "rsa.misc.category": "aincidun", "rsa.misc.filter": "uela", @@ -2064,9 +2148,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "saquaea6344.www.invalid" + ], "related.ip": [ - "10.204.214.251", - "10.101.38.213" + "10.101.38.213", + "10.204.214.251" ], "related.user": [ "ueipsa" @@ -2080,8 +2167,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tasun", "rsa.misc.action": [ - "Allowed", - "quasiarc" + "quasiarc", + "Allowed" ], "rsa.misc.category": "autfugi", "rsa.misc.filter": "ritqu", @@ -2137,6 +2224,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "utaliqu4248.www.localhost" + ], "related.ip": [ "10.18.226.72", "10.101.85.169" @@ -2153,8 +2243,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "moles", "rsa.misc.action": [ - "Allowed", - "vitaed" + "vitaed", + "Allowed" ], "rsa.misc.category": "billoi", "rsa.misc.filter": "suntex", @@ -2210,6 +2300,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "mdolore473.internal.test" + ], "related.ip": [ "10.242.182.193", "10.87.100.240" @@ -2283,6 +2376,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tatio6513.www.invalid" + ], "related.ip": [ "10.80.57.247", "10.229.242.223" @@ -2356,6 +2452,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "lapar1599.www.lan" + ], "related.ip": [ "10.193.66.155", "10.106.77.138" @@ -2429,9 +2528,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "aquioff3853.www.localdomain" + ], "related.ip": [ - "10.236.230.136", - "10.54.159.1" + "10.54.159.1", + "10.236.230.136" ], "related.user": [ "mUteni" @@ -2445,8 +2547,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tec", "rsa.misc.action": [ - "Allowed", - "tatema" + "tatema", + "Allowed" ], "rsa.misc.category": "emullamc", "rsa.misc.filter": "emveleum", @@ -2502,6 +2604,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ura675.mail.localdomain" + ], "related.ip": [ "10.131.246.134", "10.49.242.174" @@ -2575,6 +2680,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "iamea478.www5.host" + ], "related.ip": [ "10.142.120.198", "10.166.10.42" @@ -2591,8 +2699,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ende", "rsa.misc.action": [ - "Blocked", - "doconse" + "doconse", + "Blocked" ], "rsa.misc.category": "uovolupt", "rsa.misc.filter": "litesse", @@ -2648,9 +2756,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "eaque6543.api.domain" + ], "related.ip": [ - "10.138.188.201", - "10.128.184.241" + "10.128.184.241", + "10.138.188.201" ], "related.user": [ "etur" @@ -2664,8 +2775,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "issu", "rsa.misc.action": [ - "sed", - "Allowed" + "Allowed", + "sed" ], "rsa.misc.category": "atur", "rsa.misc.filter": "iciadese", @@ -2721,6 +2832,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "eufug1756.mail.corp" + ], "related.ip": [ "10.53.101.131", "10.213.57.165" @@ -2737,8 +2851,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ese", "rsa.misc.action": [ - "litanim", - "Allowed" + "Allowed", + "litanim" ], "rsa.misc.category": "idata", "rsa.misc.filter": "urerepre", @@ -2794,6 +2908,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "orp5697.www.invalid" + ], "related.ip": [ "10.243.6.41", "10.55.81.14" @@ -2810,8 +2927,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "idolores", "rsa.misc.action": [ - "lestia", - "Blocked" + "Blocked", + "lestia" ], "rsa.misc.category": "risni", "rsa.misc.filter": "emacc", @@ -2867,9 +2984,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "pariatur7238.www5.invalid" + ], "related.ip": [ - "10.33.144.10", - "10.202.224.79" + "10.202.224.79", + "10.33.144.10" ], "related.user": [ "rios" @@ -2940,9 +3060,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "fficia2304.www5.home" + ], "related.ip": [ - "10.158.18.51", - "10.20.124.138" + "10.20.124.138", + "10.158.18.51" ], "related.user": [ "CSe" @@ -3013,6 +3136,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "mquisnos7453.home" + ], "related.ip": [ "10.134.128.27", "10.118.177.136" @@ -3086,9 +3212,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "aquio748.www.localhost" + ], "related.ip": [ - "10.125.120.97", - "10.68.8.143" + "10.68.8.143", + "10.125.120.97" ], "related.user": [ "reet" @@ -3102,8 +3231,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "amni", "rsa.misc.action": [ - "edutp", - "Allowed" + "Allowed", + "edutp" ], "rsa.misc.category": "ames", "rsa.misc.filter": "dmi", @@ -3159,9 +3288,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "remagnam796.mail.corp" + ], "related.ip": [ - "10.143.0.78", - "10.137.164.122" + "10.137.164.122", + "10.143.0.78" ], "related.user": [ "orissus" @@ -3175,8 +3307,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "etdol", "rsa.misc.action": [ - "Blocked", - "mwrit" + "mwrit", + "Blocked" ], "rsa.misc.category": "inim", "rsa.misc.filter": "aturQu", @@ -3232,9 +3364,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "etdolore4227.internal.corp" + ], "related.ip": [ - "10.156.177.53", - "10.30.87.51" + "10.30.87.51", + "10.156.177.53" ], "related.user": [ "psaquaea" @@ -3248,8 +3383,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tatno", "rsa.misc.action": [ - "Blocked", - "ptatev" + "ptatev", + "Blocked" ], "rsa.misc.category": "udexerc", "rsa.misc.filter": "ptatemse", @@ -3305,6 +3440,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "rors1935.api.domain" + ], "related.ip": [ "10.83.138.34", "10.111.249.184" @@ -3378,6 +3516,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "idexeac1655.internal.test" + ], "related.ip": [ "10.141.195.13", "10.180.150.47" @@ -3394,8 +3535,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "itesse", "rsa.misc.action": [ - "uip", - "Allowed" + "Allowed", + "uip" ], "rsa.misc.category": "teturad", "rsa.misc.filter": "roquisqu", @@ -3451,9 +3592,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "laboree3880.api.invalid" + ], "related.ip": [ - "10.166.195.20", - "10.255.40.12" + "10.255.40.12", + "10.166.195.20" ], "related.user": [ "lamcolab" @@ -3467,8 +3611,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mipsumq", "rsa.misc.action": [ - "Allowed", - "citation" + "citation", + "Allowed" ], "rsa.misc.category": "usant", "rsa.misc.filter": "Nem", @@ -3522,9 +3666,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tecto708.www5.example" + ], "related.ip": [ - "10.100.143.226", - "10.22.122.43" + "10.22.122.43", + "10.100.143.226" ], "related.user": [ "ute" @@ -3595,6 +3742,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ine3181.www.invalid" + ], "related.ip": [ "10.119.53.68", "10.121.9.5" @@ -3611,8 +3761,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dexea", "rsa.misc.action": [ - "Blocked", - "tinvolup" + "tinvolup", + "Blocked" ], "rsa.misc.category": "ende", "rsa.misc.filter": "onse", @@ -3668,6 +3818,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tsunt3403.www5.test" + ], "related.ip": [ "10.31.153.177", "10.237.0.173" @@ -3739,9 +3892,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "pitl6126.www.localdomain" + ], "related.ip": [ - "10.243.182.229", - "10.229.102.140" + "10.229.102.140", + "10.243.182.229" ], "related.user": [ "duntut" @@ -3808,9 +3964,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "remaper3297.internal.test" + ], "related.ip": [ - "10.39.46.155", - "10.120.138.109" + "10.120.138.109", + "10.39.46.155" ], "related.user": [ "picia" @@ -3881,9 +4040,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tamr1693.api.home" + ], "related.ip": [ - "10.133.102.57", - "10.53.191.49" + "10.53.191.49", + "10.133.102.57" ], "related.user": [ "onsec" @@ -3897,8 +4059,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ecillum", "rsa.misc.action": [ - "emp", - "Blocked" + "Blocked", + "emp" ], "rsa.misc.category": "ciati", "rsa.misc.filter": "elit", @@ -3954,6 +4116,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "cia5990.api.localdomain" + ], "related.ip": [ "10.89.41.97", "10.91.2.225" @@ -4027,6 +4192,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "riatu2467.lan" + ], "related.ip": [ "10.221.20.165", "10.7.18.226" @@ -4043,8 +4211,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iadeseru", "rsa.misc.action": [ - "Allowed", - "epreh" + "epreh", + "Allowed" ], "rsa.misc.category": "ruredol", "rsa.misc.filter": "atquo", @@ -4100,6 +4268,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "pici1525.www5.corp" + ], "related.ip": [ "10.155.252.123", "10.178.148.188" @@ -4116,8 +4287,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "inimve", "rsa.misc.action": [ - "niam", - "Allowed" + "Allowed", + "niam" ], "rsa.misc.category": "perspici", "rsa.misc.filter": "uipe", @@ -4173,6 +4344,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "dolo6418.internal.host" + ], "related.ip": [ "10.190.42.245", "10.220.1.249" @@ -4244,6 +4418,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "imveni193.www5.host" + ], "related.ip": [ "10.55.38.153", "10.112.190.154" @@ -4260,8 +4437,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tin", "rsa.misc.action": [ - "urau", - "Allowed" + "Allowed", + "urau" ], "rsa.misc.category": "isiut", "rsa.misc.filter": "cons", @@ -4317,9 +4494,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ionu3320.api.localhost" + ], "related.ip": [ - "10.195.153.42", - "10.250.48.82" + "10.250.48.82", + "10.195.153.42" ], "related.user": [ "tsedquia" @@ -4333,8 +4513,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tDuisaut", "rsa.misc.action": [ - "Allowed", - "upidatat" + "upidatat", + "Allowed" ], "rsa.misc.category": "aliquide", "rsa.misc.filter": "deriti", @@ -4390,6 +4570,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "remips1499.www.local" + ], "related.ip": [ "10.252.164.230", "10.60.52.219" @@ -4406,8 +4589,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rroq", "rsa.misc.action": [ - "Blocked", - "fdeFin" + "fdeFin", + "Blocked" ], "rsa.misc.category": "diduntut", "rsa.misc.filter": "ano", @@ -4459,9 +4642,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "mdoloree96.domain" + ], "related.ip": [ - "10.122.102.156", - "10.187.16.73" + "10.187.16.73", + "10.122.102.156" ], "related.user": [ "emoen" @@ -4475,8 +4661,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dipisc", "rsa.misc.action": [ - "turad", - "Allowed" + "Allowed", + "turad" ], "rsa.misc.category": "ulpaquio", "rsa.misc.filter": "ngelits", @@ -4532,9 +4718,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "iatnulap7662.internal.local" + ], "related.ip": [ - "10.248.108.55", - "10.120.215.174" + "10.120.215.174", + "10.248.108.55" ], "related.user": [ "prehend" @@ -4548,8 +4737,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rema", "rsa.misc.action": [ - "Allowed", - "uatDu" + "uatDu", + "Allowed" ], "rsa.misc.category": "ent", "rsa.misc.filter": "iscivel", @@ -4603,9 +4792,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "sBonoru1929.example" + ], "related.ip": [ - "10.15.254.181", - "10.51.161.245" + "10.51.161.245", + "10.15.254.181" ], "related.user": [ "abo" @@ -4619,8 +4811,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "modit", "rsa.misc.action": [ - "uteiru", - "Allowed" + "Allowed", + "uteiru" ], "rsa.misc.category": "qua", "rsa.misc.filter": "saute", @@ -4676,9 +4868,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "onorumet4871.lan" + ], "related.ip": [ - "10.129.66.196", - "10.7.152.238" + "10.7.152.238", + "10.129.66.196" ], "related.user": [ "equamn" @@ -4749,6 +4944,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "onproi4354.www5.invalid" + ], "related.ip": [ "10.185.107.27", "10.29.162.157" @@ -4765,8 +4963,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "orinrep", "rsa.misc.action": [ - "squirat", - "Blocked" + "Blocked", + "squirat" ], "rsa.misc.category": "sequa", "rsa.misc.filter": "orainci", @@ -4822,9 +5020,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "beataevi7552.api.test" + ], "related.ip": [ - "10.138.0.214", - "10.215.63.248" + "10.215.63.248", + "10.138.0.214" ], "related.user": [ "eavolupt" @@ -4895,6 +5096,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "rvelill1981.www.invalid" + ], "related.ip": [ "10.12.130.224", "10.26.115.88" @@ -4968,9 +5172,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "quia7214.example" + ], "related.ip": [ - "10.193.152.42", - "10.91.20.27" + "10.91.20.27", + "10.193.152.42" ], "related.user": [ "edict" @@ -4984,8 +5191,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "plicab", "rsa.misc.action": [ - "umq", - "Blocked" + "Blocked", + "umq" ], "rsa.misc.category": "eruntmol", "rsa.misc.filter": "labore", @@ -5041,6 +5248,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "aturExc7343.invalid" + ], "related.ip": [ "10.146.69.38", "10.55.192.102" @@ -5114,6 +5324,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "olo7317.www5.localhost" + ], "related.ip": [ "10.249.1.143", "10.124.177.226" @@ -5130,8 +5343,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "Utenim", "rsa.misc.action": [ - "Allowed", - "onevo" + "onevo", + "Allowed" ], "rsa.misc.category": "tdolore", "rsa.misc.filter": "ptasn", @@ -5187,9 +5400,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "uiin1342.mail.invalid" + ], "related.ip": [ - "10.167.176.220", - "10.146.228.249" + "10.146.228.249", + "10.167.176.220" ], "related.user": [ "estla" @@ -5203,8 +5419,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ect", "rsa.misc.action": [ - "maccu", - "Blocked" + "Blocked", + "maccu" ], "rsa.misc.category": "iaecon", "rsa.misc.filter": "eni", @@ -5260,9 +5476,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "agna5654.www.corp" + ], "related.ip": [ - "10.200.74.101", - "10.203.47.23" + "10.203.47.23", + "10.200.74.101" ], "related.user": [ "litesse" @@ -5276,8 +5495,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "nde", "rsa.misc.action": [ - "iqu", - "Allowed" + "Allowed", + "iqu" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "ntincul", @@ -5333,6 +5552,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ites5711.internal.host" + ], "related.ip": [ "10.162.78.48", "10.24.23.209" @@ -5349,8 +5571,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ereprehe", "rsa.misc.action": [ - "tutl", - "Blocked" + "Blocked", + "tutl" ], "rsa.misc.category": "mip", "rsa.misc.filter": "umSecti", @@ -5406,6 +5628,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "oluptat2848.api.home" + ], "related.ip": [ "10.211.66.68", "10.55.151.53" @@ -5422,8 +5647,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "diconseq", "rsa.misc.action": [ - "umet", - "Allowed" + "Allowed", + "umet" ], "rsa.misc.category": "ciad", "rsa.misc.filter": "oeiusmod", @@ -5479,6 +5704,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ngelitse7535.internal.lan" + ], "related.ip": [ "10.110.16.169", "10.209.203.156" @@ -5495,8 +5723,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iamquisn", "rsa.misc.action": [ - "lupta", - "Blocked" + "Blocked", + "lupta" ], "rsa.misc.category": "uasiarch", "rsa.misc.filter": "usBonor", @@ -5552,6 +5780,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tiumtot3611.internal.localdomain" + ], "related.ip": [ "10.107.68.114", "10.84.9.150" @@ -5625,6 +5856,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "gnaa4656.api.example" + ], "related.ip": [ "10.124.119.48", "10.26.222.144" @@ -5698,6 +5932,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "psaqu6066.www5.localhost" + ], "related.ip": [ "10.164.190.2", "10.223.11.164" @@ -5714,8 +5951,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "officiad", "rsa.misc.action": [ - "antium", - "Allowed" + "Allowed", + "antium" ], "rsa.misc.category": "emoeni", "rsa.misc.filter": "itvo", @@ -5771,6 +6008,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "iavol5202.api.example" + ], "related.ip": [ "10.121.181.243", "10.14.37.8" @@ -5844,9 +6084,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "uame1361.api.local" + ], "related.ip": [ - "10.10.93.133", - "10.90.20.202" + "10.90.20.202", + "10.10.93.133" ], "related.user": [ "evita" @@ -5917,9 +6160,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "rsitame4049.internal.corp" + ], "related.ip": [ - "10.34.98.144", - "10.77.102.206" + "10.77.102.206", + "10.34.98.144" ], "related.user": [ "tectobe" @@ -5990,6 +6236,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "elit912.www5.test" + ], "related.ip": [ "10.176.233.249", "10.75.144.118" @@ -6006,8 +6255,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "essequa", "rsa.misc.action": [ - "odic", - "Blocked" + "Blocked", + "odic" ], "rsa.misc.category": "cto", "rsa.misc.filter": "odite", @@ -6063,9 +6312,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "tat6671.www.local" + ], "related.ip": [ - "10.236.55.236", - "10.149.6.107" + "10.149.6.107", + "10.236.55.236" ], "related.user": [ "redolo" @@ -6136,6 +6388,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "uis5050.www.local" + ], "related.ip": [ "10.97.202.149", "10.13.125.101" @@ -6209,6 +6464,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ficiad1312.api.host" + ], "related.ip": [ "10.141.66.163", "10.230.61.102" @@ -6282,6 +6540,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "itaspe921.mail.invalid" + ], "related.ip": [ "10.10.25.145", "10.224.249.228" @@ -6355,6 +6616,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "archite4407.mail.invalid" + ], "related.ip": [ "10.247.255.107", "10.234.34.40" @@ -6371,8 +6635,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "neavolu", "rsa.misc.action": [ - "Blocked", - "nofdeF" + "nofdeF", + "Blocked" ], "rsa.misc.category": "remagnam", "rsa.misc.filter": "maveniam", @@ -6428,6 +6692,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "aria1424.mail.home" + ], "related.ip": [ "10.250.102.42", "10.124.81.20" @@ -6444,8 +6711,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ilmoles", "rsa.misc.action": [ - "Blocked", - "tatisetq" + "tatisetq", + "Blocked" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "liquide", @@ -6501,6 +6768,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "Bonoru7444.www5.example" + ], "related.ip": [ "10.166.205.159", "10.154.188.132" @@ -6517,8 +6787,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "proid", "rsa.misc.action": [ - "onevolu", - "Allowed" + "Allowed", + "onevolu" ], "rsa.misc.category": "iratio", "rsa.misc.filter": "odita", @@ -6570,6 +6840,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "icero1297.internal.domain" + ], "related.ip": [ "10.46.71.46", "10.138.193.38" @@ -6586,8 +6859,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "upta", "rsa.misc.action": [ - "uovolup", - "Allowed" + "Allowed", + "uovolup" ], "rsa.misc.category": "todit", "rsa.misc.filter": "atisetq", @@ -6639,6 +6912,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "oloremeu5047.www5.invalid" + ], "related.ip": [ "10.172.159.251", "10.254.119.31" @@ -6655,8 +6931,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "imadmi", "rsa.misc.action": [ - "Blocked", - "tatemacc" + "tatemacc", + "Blocked" ], "rsa.misc.category": "tutlabor", "rsa.misc.filter": "eturad", @@ -6712,9 +6988,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "edutpe1255.internal.lan" + ], "related.ip": [ - "10.98.126.206", - "10.195.62.230" + "10.195.62.230", + "10.98.126.206" ], "related.user": [ "ptassit" @@ -6728,8 +7007,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "isnost", "rsa.misc.action": [ - "oriosa", - "Allowed" + "Allowed", + "oriosa" ], "rsa.misc.category": "uis", "rsa.misc.filter": "nemul", @@ -6785,6 +7064,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "nderit1171.www5.domain" + ], "related.ip": [ "10.144.93.186", "10.84.140.5" @@ -6801,8 +7083,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ntut", "rsa.misc.action": [ - "nima", - "Blocked" + "Blocked", + "nima" ], "rsa.misc.category": "boru", "rsa.misc.filter": "umquia", @@ -6858,6 +7140,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "nos4114.api.lan" + ], "related.ip": [ "10.31.58.6", "10.198.84.190" @@ -6931,9 +7216,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "oremeum4231.internal.host" + ], "related.ip": [ - "10.131.81.172", - "10.139.90.218" + "10.139.90.218", + "10.131.81.172" ], "related.user": [ "hende" @@ -6947,8 +7235,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rrorsi", "rsa.misc.action": [ - "exe", - "Allowed" + "Allowed", + "exe" ], "rsa.misc.category": "mnihi", "rsa.misc.filter": "consequa", @@ -7004,6 +7292,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "ueip6097.api.host" + ], "related.ip": [ "10.152.217.174", "10.128.43.71" @@ -7077,9 +7368,12 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "fugiatqu7793.www.localdomain" + ], "related.ip": [ - "10.217.193.148", - "10.26.149.221" + "10.26.149.221", + "10.217.193.148" ], "related.user": [ "uisa" @@ -7093,8 +7387,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tionemu", "rsa.misc.action": [ - "rehe", - "Blocked" + "Blocked", + "rehe" ], "rsa.misc.category": "aecons", "rsa.misc.filter": "aturve", @@ -7150,6 +7444,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "onsequ3168.www.corp" + ], "related.ip": [ "10.172.17.6", "10.109.192.53" @@ -7166,8 +7463,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "temUte", "rsa.misc.action": [ - "tassit", - "Blocked" + "Blocked", + "tassit" ], "rsa.misc.category": "ita", "rsa.misc.filter": "scive", @@ -7223,6 +7520,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "oremquel3120.internal.localhost" + ], "related.ip": [ "10.135.38.213", "10.119.106.108" @@ -7239,8 +7539,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "exeacomm", "rsa.misc.action": [ - "volup", - "Blocked" + "Blocked", + "volup" ], "rsa.misc.category": "ten", "rsa.misc.filter": "ssecil", diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json index 66ca65108fd..bdf9957b55d 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json @@ -17,6 +17,9 @@ "observer.product": "Internet", "observer.type": "Configuration", "observer.vendor": "Zscaler", + "related.hosts": [ + "" + ], "related.user": [ "" ], From 5f6afdc361a835743f4685b0a8db3f5600876ede Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Mon, 21 Sep 2020 10:38:53 +0200 Subject: [PATCH 09/10] Add changelog entry --- CHANGELOG.next.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 3287a4853a9..1c41a2f71e4 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -589,6 +589,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Added new module for Zoom webhooks {pull}20414[20414] - Add type and sub_type to panw panos fileset {pull}20912[20912] - Always attempt community_id processor on zeek module {pull}21155[21155] +- Add related.hosts ecs field to all modules {pull}21160[21160] *Heartbeat* From c39bda110edcf6cf643169c7eaf825e9d7a4d3b7 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Wed, 23 Sep 2020 12:38:04 +0200 Subject: [PATCH 10/10] Add checks to avoid empty strings --- .../osquery/result/ingest/pipeline.json | 2 +- .../module/system/auth/ingest/pipeline.yml | 2 +- .../module/system/syslog/ingest/pipeline.yml | 2 +- .../spamfirewall/ingest/pipeline.yml | 4 +-- .../test/generated.log-expected.json | 25 ++----------------- .../bluecoat/director/ingest/pipeline.yml | 2 +- .../module/cisco/meraki/ingest/pipeline.yml | 2 +- .../module/cisco/nexus/ingest/pipeline.yml | 4 +-- .../cisco/shared/ingest/asa-ftd-pipeline.yml | 8 +++--- .../citrix/netscaler/ingest/pipeline.yml | 2 +- .../cyberark/corepas/ingest/pipeline.yml | 4 +-- .../cylance/protect/ingest/pipeline.yml | 2 +- .../module/f5/bigipafm/ingest/pipeline.yml | 2 +- .../module/f5/bigipapm/ingest/pipeline.yml | 2 +- .../clientendpoint/ingest/pipeline.yml | 4 +-- .../fortinet/fortimail/ingest/pipeline.yml | 2 +- .../fortinet/fortimanager/ingest/pipeline.yml | 2 +- .../imperva/securesphere/ingest/pipeline.yml | 2 +- .../module/infoblox/nios/ingest/pipeline.yml | 4 +-- .../module/juniper/junos/ingest/pipeline.yml | 4 +-- .../defender_atp/ingest/pipeline.yml | 2 +- .../module/microsoft/dhcp/ingest/pipeline.yml | 4 +-- .../module/panw/panos/ingest/pipeline.yml | 2 +- .../emailsecurity/ingest/pipeline.yml | 4 +-- .../module/snort/log/ingest/pipeline.yml | 2 +- .../sonicwall/firewall/ingest/pipeline.yml | 8 +++--- .../module/sophos/utm/ingest/pipeline.yml | 4 +-- .../module/squid/log/ingest/pipeline.yml | 4 +-- .../module/suricata/eve/ingest/pipeline.yml | 2 +- .../endpointprotection/ingest/pipeline.yml | 8 +++--- .../module/tomcat/log/ingest/pipeline.yml | 6 ++--- .../module/zscaler/zia/ingest/pipeline.yml | 4 +-- 32 files changed, 55 insertions(+), 76 deletions(-) diff --git a/filebeat/module/osquery/result/ingest/pipeline.json b/filebeat/module/osquery/result/ingest/pipeline.json index 6d239aaeb2d..2a0329133fa 100644 --- a/filebeat/module/osquery/result/ingest/pipeline.json +++ b/filebeat/module/osquery/result/ingest/pipeline.json @@ -211,7 +211,7 @@ "append": { "field": "related.hosts", "value": "{{host.hostname}}", - "if": "ctx?.host?.hostname != null", + "if": "ctx?.host?.hostname != null && ctx.host?.hostname != ''", "allow_duplicates": false } } diff --git a/filebeat/module/system/auth/ingest/pipeline.yml b/filebeat/module/system/auth/ingest/pipeline.yml index 71a3a3aefb0..54ab0dbf8f5 100644 --- a/filebeat/module/system/auth/ingest/pipeline.yml +++ b/filebeat/module/system/auth/ingest/pipeline.yml @@ -145,7 +145,7 @@ processors: - append: field: related.hosts value: "{{host.hostname}}" - if: "ctx.host?.hostname != null" + if: "ctx.host?.hostname != null && ctx.host?.hostname != ''" allow_duplicates: false on_failure: - set: diff --git a/filebeat/module/system/syslog/ingest/pipeline.yml b/filebeat/module/system/syslog/ingest/pipeline.yml index 69a3bc94b67..b1352f2ad62 100644 --- a/filebeat/module/system/syslog/ingest/pipeline.yml +++ b/filebeat/module/system/syslog/ingest/pipeline.yml @@ -57,7 +57,7 @@ processors: - append: field: related.hosts value: "{{host.hostname}}" - if: "ctx.host?.hostname != null" + if: "ctx.host?.hostname != null && ctx.host?.hostname != ''" allow_duplicates: false on_failure: - set: diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml b/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml index b2c3414c4e7..2ae84bd17e5 100644 --- a/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/barracuda/spamfirewall/ingest/pipeline.yml @@ -56,12 +56,12 @@ processors: - append: field: related.hosts value: '{{url.domain}}' - if: ctx?.url?.domain != null + if: ctx?.url?.domain != null && ctx?.url?.domain != "" allow_duplicates: false - append: field: related.hosts value: '{{server.domain}}' - if: ctx?.server?.domain != null + if: ctx?.server?.domain != null && ctx?.url?.domain != "" allow_duplicates: false on_failure: - append: diff --git a/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json b/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json index c442d44c377..ff70486fab5 100644 --- a/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/barracuda/spamfirewall/test/generated.log-expected.json @@ -346,9 +346,6 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", - "related.hosts": [ - "" - ], "related.ip": [ "10.206.159.177" ], @@ -1148,9 +1145,6 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", - "related.hosts": [ - "" - ], "related.ip": [ "10.153.108.27" ], @@ -1626,9 +1620,6 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", - "related.hosts": [ - "" - ], "related.ip": [ "10.153.152.219" ], @@ -1833,9 +1824,6 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", - "related.hosts": [ - "" - ], "related.ip": [ "10.103.69.44" ], @@ -1919,9 +1907,6 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", - "related.hosts": [ - "" - ], "related.ip": [ "10.145.193.93" ], @@ -2034,9 +2019,6 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", - "related.hosts": [ - "" - ], "related.ip": [ "10.141.225.182" ], @@ -2718,9 +2700,6 @@ "observer.product": "Spam", "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", - "related.hosts": [ - "" - ], "related.ip": [ "10.157.196.101" ], @@ -3176,8 +3155,8 @@ "observer.type": "Anti-Virus", "observer.vendor": "Barracuda", "related.ip": [ - "10.178.30.158", - "10.1.6.115" + "10.1.6.115", + "10.178.30.158" ], "rsa.internal.messageid": "outbound/smtp", "rsa.investigations.event_cat": 1901000000, diff --git a/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml b/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml index 3840746722c..97fbbb72c92 100644 --- a/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml +++ b/x-pack/filebeat/module/bluecoat/director/ingest/pipeline.yml @@ -57,7 +57,7 @@ processors: field: related.hosts value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.name != null + if: ctx?.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml index ca144a95c4f..cf0d61d1a52 100644 --- a/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cisco/meraki/ingest/pipeline.yml @@ -61,7 +61,7 @@ processors: - append: field: related.hosts value: '{{host.hostname}}' - if: ctx.host?.hostname != null + if: ctx.host?.hostname != null && ctx.host?.hostname != '' allow_duplicates: false on_failure: - append: diff --git a/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml index 092221f8389..b85ab503dda 100644 --- a/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cisco/nexus/ingest/pipeline.yml @@ -56,12 +56,12 @@ processors: - append: field: related.hosts value: '{{host.name}}' - if: ctx.host?.name != null + if: ctx.host?.name != null && ctx.host?.name != '' allow_duplicates: false - append: field: related.hosts value: '{{host.hostname}}' - if: ctx.host?.hostname != null + if: ctx.host?.hostname != null && ctx.host?.hostname != '' allow_duplicates: false on_failure: - append: diff --git a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml index 727968cdf96..c828c45250a 100644 --- a/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml +++ b/x-pack/filebeat/module/cisco/shared/ingest/asa-ftd-pipeline.yml @@ -1550,22 +1550,22 @@ processors: - append: field: related.hosts value: "{{host.hostname}}" - if: ctx.host?.hostname != null + if: ctx.host?.hostname != null && ctx.host?.hostname != '' allow_duplicates: false - append: field: related.hosts value: "{{observer.hostname}}" - if: ctx.observer?.hostname != null + if: ctx.observer?.hostname != null && ctx.observer?.hostname != '' allow_duplicates: false - append: field: related.hosts value: "{{destination.domain}}" - if: ctx.destination?.domain != null + if: ctx.destination?.domain != null && ctx.destination?.domain != '' allow_duplicates: false - append: field: related.hosts value: "{{source.domain}}" - if: ctx.source?.domain != null + if: ctx.source?.domain != null && ctx.source?.domain != '' allow_duplicates: false on_failure: # Copy any fields under _temp_.cisco to its final destination. Those can help diff --git a/x-pack/filebeat/module/citrix/netscaler/ingest/pipeline.yml b/x-pack/filebeat/module/citrix/netscaler/ingest/pipeline.yml index ffb1d2e3374..a2f7da6f2a0 100644 --- a/x-pack/filebeat/module/citrix/netscaler/ingest/pipeline.yml +++ b/x-pack/filebeat/module/citrix/netscaler/ingest/pipeline.yml @@ -57,7 +57,7 @@ processors: field: related.hosts value: '{{server.domain}}' allow_duplicates: false - if: ctx?.server?.domain != null + if: ctx?.server?.domain != null && ctx.server?.domain != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml b/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml index 600d733a297..ffe90e79f85 100644 --- a/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cyberark/corepas/ingest/pipeline.yml @@ -57,12 +57,12 @@ processors: field: related.hosts value: '{{host.hostname server.domain}}' allow_duplicates: false - if: ctx?.host?.hostname != null + if: ctx?.host?.hostname != null && ctx.host?.hostname != '' - append: field: related.hosts value: '{{server.domain}}' allow_duplicates: false - if: ctx?.server?.domain != null + if: ctx?.server?.domain != null && ctx.server?.domain != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml b/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml index 182c4a85c19..72aa57c217a 100644 --- a/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cylance/protect/ingest/pipeline.yml @@ -57,7 +57,7 @@ processors: field: related.hosts value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.name != null + if: ctx?.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml b/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml index 1a25fa92e38..39579462593 100644 --- a/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml +++ b/x-pack/filebeat/module/f5/bigipafm/ingest/pipeline.yml @@ -57,7 +57,7 @@ processors: field: related.hosts value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.name != null + if: ctx?.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml b/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml index d9d450d215d..8dbd2e2e6cb 100644 --- a/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml +++ b/x-pack/filebeat/module/f5/bigipapm/ingest/pipeline.yml @@ -57,7 +57,7 @@ processors: field: related.hosts value: '{{rsa.web.fqdn}}' allow_duplicates: false - if: ctx?.rsa?.web?.fqdn != null + if: ctx?.rsa?.web?.fqdn != null && ctx.rsa?.web?.fqdn != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml index e8deb2d54d3..28bbbd0e58e 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml +++ b/x-pack/filebeat/module/fortinet/clientendpoint/ingest/pipeline.yml @@ -57,12 +57,12 @@ processors: field: related.hosts value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.name != null + if: ctx?.host?.name != null && ctx.host?.name != '' - append: field: related.hosts value: '{{server.domain}}' allow_duplicates: false - if: ctx?.server?.domain != null + if: ctx?.server?.domain != null && ctx.server?.domain != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml index aff06252131..f142da3fcfb 100644 --- a/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml +++ b/x-pack/filebeat/module/fortinet/fortimail/ingest/pipeline.yml @@ -57,7 +57,7 @@ processors: field: related.hosts value: '{{server.domain}}' allow_duplicates: false - if: ctx?.server?.domain != null + if: ctx?.server?.domain != null && ctx.server?.domain != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml index 85a7dfc44e7..79b9a885628 100644 --- a/x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml +++ b/x-pack/filebeat/module/fortinet/fortimanager/ingest/pipeline.yml @@ -57,7 +57,7 @@ processors: field: related.hosts value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.name != null + if: ctx?.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml b/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml index 817b256c777..a51475c0588 100644 --- a/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml +++ b/x-pack/filebeat/module/imperva/securesphere/ingest/pipeline.yml @@ -57,7 +57,7 @@ processors: field: related.hosts value: '{{host.hostname}}' allow_duplicates: false - if: ctx?.host?.hostname != null + if: ctx?.host?.hostname != null && ctx.host?.hostname != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml b/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml index 517ff14bf4f..dd46c730477 100644 --- a/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml +++ b/x-pack/filebeat/module/infoblox/nios/ingest/pipeline.yml @@ -57,12 +57,12 @@ processors: field: related.hosts value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.name != null + if: ctx?.host?.name != null && ctx.host?.name != '' - append: field: related.hosts value: '{{rsa.misc.event_source}}' allow_duplicates: false - if: ctx?.rsa?.misc?.event_source != null + if: ctx?.rsa?.misc?.event_source != null && ctx.rsa?.misc?.event_source != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml b/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml index a2a37344dfd..bc38869e537 100644 --- a/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/juniper/junos/ingest/pipeline.yml @@ -57,12 +57,12 @@ processors: field: related.hosts value: '{{host.hostname}}' allow_duplicates: false - if: ctx?.host?.hostname + if: ctx?.host?.hostname && ctx.host?.hostname != '' - append: field: related.hosts value: '{{server.domain}}' allow_duplicates: false - if: ctx?.server?.domain + if: ctx?.server?.domain && ctx.server?.domain != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml b/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml index 7ed7c2ffe4a..0f35c753092 100644 --- a/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml @@ -282,7 +282,7 @@ processors: - append: field: related.hosts value: '{{host.hostname}}' - if: ctx.host?.hostname != null + if: ctx.host?.hostname != null && ctx.host?.hostname != '' allow_duplicates: false ############# diff --git a/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml b/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml index 31ab37d66c2..6ba5eef3032 100644 --- a/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/microsoft/dhcp/ingest/pipeline.yml @@ -57,12 +57,12 @@ processors: field: related.hosts value: '{{host.hostname}}' allow_duplicates: false - if: ctx?.host?.hostname != null + if: ctx?.host?.hostname != null && ctx.host?.hostname != '' - append: field: related.hosts value: '{{source.address}}' allow_duplicates: false - if: ctx?.source?.address != null + if: ctx?.source?.address != null && ctx.source?.address != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml index 409a3a00edb..a958993a61c 100644 --- a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml @@ -475,7 +475,7 @@ processors: - append: field: related.hosts value: "{{observer.hostname}}" - if: "ctx?.observer?.hostname != null" + if: "ctx?.observer?.hostname != null && ctx.observer?.hostname != ''" allow_duplicates: false # Remove temporary fields. diff --git a/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml b/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml index 5aa08a193e8..a5eafc083d9 100644 --- a/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml +++ b/x-pack/filebeat/module/proofpoint/emailsecurity/ingest/pipeline.yml @@ -57,12 +57,12 @@ processors: field: related.hosts value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.name != null + if: ctx?.host?.name != null && ctx.host?.name != '' - append: field: related.hosts value: '{{destination.address}}' allow_duplicates: false - if: ctx?.destination?.address != null + if: ctx?.destination?.address != null && ctx.destination?.address != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/snort/log/ingest/pipeline.yml b/x-pack/filebeat/module/snort/log/ingest/pipeline.yml index 10e5acc9c15..640c5b2556a 100644 --- a/x-pack/filebeat/module/snort/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/snort/log/ingest/pipeline.yml @@ -57,7 +57,7 @@ processors: field: related.hosts value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.name != null + if: ctx?.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml index 0dfb627bc0b..01202648b26 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/sonicwall/firewall/ingest/pipeline.yml @@ -57,22 +57,22 @@ processors: field: related.hosts value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.name != null + if: ctx?.host?.name != null && ctx.host?.name != '' - append: field: related.hosts value: '{{host.hostname}}' allow_duplicates: false - if: ctx?.host?.hostname != null + if: ctx?.host?.hostname != null && ctx.host?.hostname != '' - append: field: related.hosts value: '{{source.address}}' allow_duplicates: false - if: ctx?.source?.address != null + if: ctx?.source?.address != null && ctx.source?.address != '' - append: field: related.hosts value: '{{destination.address}}' allow_duplicates: false - if: ctx?.destination?.address != null + if: ctx?.destination?.address != null && ctx.destination?.address != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml b/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml index 8a11fce4053..62aaa2a3c30 100644 --- a/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml +++ b/x-pack/filebeat/module/sophos/utm/ingest/pipeline.yml @@ -57,12 +57,12 @@ processors: field: related.hosts value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.name != null + if: ctx?.host?.name != null && ctx.host?.name != '' - append: field: related.hosts value: '{{destination.address}}' allow_duplicates: false - if: ctx?.destination?.address != null + if: ctx?.destination?.address != null && ctx.destination?.address != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/squid/log/ingest/pipeline.yml b/x-pack/filebeat/module/squid/log/ingest/pipeline.yml index 70ef42a20da..9a8f547c6d1 100644 --- a/x-pack/filebeat/module/squid/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/squid/log/ingest/pipeline.yml @@ -57,12 +57,12 @@ processors: field: related.hosts value: '{{server.domain}}' allow_duplicates: false - if: ctx?.server?.domain != null + if: ctx?.server?.domain != null && ctx.server?.domain != '' - append: field: related.hosts value: '{{url.domain}}' allow_duplicates: false - if: ctx?.url?.domain != null + if: ctx?.url?.domain != null && ctx.url?.domain != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml index 684fdedcd51..01ed5accbe6 100644 --- a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml +++ b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml @@ -336,7 +336,7 @@ processors: - append: field: related.hosts value: '{{url.domain}}' - if: ctx.url?.domain != null + if: ctx.url?.domain != null && ctx.url?.domain != '' allow_duplicates: false - remove: field: diff --git a/x-pack/filebeat/module/symantec/endpointprotection/ingest/pipeline.yml b/x-pack/filebeat/module/symantec/endpointprotection/ingest/pipeline.yml index 910205d3d03..cf257ba5d64 100644 --- a/x-pack/filebeat/module/symantec/endpointprotection/ingest/pipeline.yml +++ b/x-pack/filebeat/module/symantec/endpointprotection/ingest/pipeline.yml @@ -57,22 +57,22 @@ processors: field: related.hosts value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.name != null + if: ctx?.host?.name != null && ctx.host?.name != '' - append: field: related.hosts value: '{{host.hostname}}' allow_duplicates: false - if: ctx?.host?.hostname != null + if: ctx?.host?.hostname != null && ctx.host?.hostname != '' - append: field: related.hosts value: '{{source.address}}' allow_duplicates: false - if: ctx?.source?.address != null + if: ctx?.source?.address != null && ctx.source?.address != '' - append: field: related.hosts value: '{{destination.address}}' allow_duplicates: false - if: ctx?.destination?.address != null + if: ctx?.destination?.address != null && ctx.destination?.address != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml b/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml index 37cb7678eca..64e1d82943a 100644 --- a/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/tomcat/log/ingest/pipeline.yml @@ -57,17 +57,17 @@ processors: field: related.hosts value: '{{rsa.web.fqdn}}' allow_duplicates: false - if: ctx?.rsa?.web?.fqdn != null + if: ctx?.rsa?.web?.fqdn != null && ctx.rsa?.web?.fqdn != '' - append: field: related.hosts value: '{{rsa.web.web_ref_domain}}' allow_duplicates: false - if: ctx?.rsa?.web?.web_ref_domain != null + if: ctx?.rsa?.web?.web_ref_domain != null && ctx.rsa?.web?.web_ref_domain != '' - append: field: related.hosts value: '{{url.domain}}' allow_duplicates: false - if: ctx?.url?.domain != null + if: ctx?.url?.domain != null && ctx.url?.domain != '' on_failure: - append: field: error.message diff --git a/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml b/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml index 58d755aa4e9..f60a8a2e9de 100644 --- a/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zscaler/zia/ingest/pipeline.yml @@ -57,12 +57,12 @@ processors: field: related.hosts value: '{{rsa.web.fqdn}}' allow_duplicates: false - if: ctx?.rsa?.web?.fqdn != null + if: ctx?.rsa?.web?.fqdn != null && ctx.rsa?.web?.fqdn != '' - append: field: related.hosts value: '{{host.name}}' allow_duplicates: false - if: ctx?.host?.name != null + if: ctx?.host?.name != null && ctx.host?.name != '' on_failure: - append: field: error.message