Amazon Security Lake integration - DTD - Python script

[f-galland]

Description

A middle point between creating a Logstash output plugin or codec to send binary data to S3 and using a Lambda function with an auxiliary S3 bucket is to continue the Logstash pipeline with a custom script that transforms and uploads the data.

The benefits of this approach are:

• The data transformation and upload process is independent of the Logstash's ingest pipeline.
• The script can be self-hosted, reducing costs.
• The script can be used for future integrations starring integratord.
• Agile development, as Python is a language we are confident with, unlike Ruby.
• We do not need to learn and comply with Logstash's plugins development requirements and lifecycle.

Functional requirements

• Read data from the Logstash's pipeline.
• Transform our data to OCSF compatible schema.
• Encode our data as Apache Parquet.
• Upload the data to an S3 bucket.

Implementation restrictions

• The Logstash pipeline will invoke our script using the pipe output plugin, so the script must be able to read the data from standard input.
• To upload the data, use AWS SDK for Python (Boto3).
• Ensure data encryption is enabled and pay special attention to safe handling of AWS credentials.

Additional information

As a guideline, check how other companies do it. For example, CrowdStrike.

[kclinden]

What are you thinking for mapping Wazuh events to OCSF event classes? Will you likely do it as a single class of "Security Finding(2001)" or will you try to break it out to various classes?

[f-galland]

What are you thinking for mapping Wazuh events to OCSF event classes? Will you likely do it as a single class of "Security Finding(2001)" or will you try to break it out to various classes?

For the time being, we are researching various approaches to the pipeline mechanism itself as the OCSF mapping is being developed in parallel to our effort here.

[AlexRuiz7]

What are you thinking for mapping Wazuh events to OCSF event classes? Will you likely do it as a single class of "Security Finding(2001)" or will you try to break it out to various classes?

We are investigating that and should have a reply shortly. In the meantime, we'll use the "Security Finding(2001)" class, fill the required values, and include the rest of the data in the "unmapped" field, so we can test whether the integration works, even if it's not mapped properly yet.

We'd like to use various classes, but we'll see.

[AlexRuiz7]

What are you thinking for mapping Wazuh events to OCSF event classes? Will you likely do it as a single class of "Security Finding(2001)" or will you try to break it out to various classes?

We are investigating that and should have a reply shortly. In the meantime, we'll use the "Security Finding(2001)" class, fill the required values, and include the rest of the data in the "unmapped" field, so we can test whether the integration works, even if it's not mapped properly yet.

We'd like to use various classes, but we'll see.

@kclinden here's an update on our OCSF mappings.

[f-galland]

Now that we have a docker testing environment, we are moving back to this one.
In my tests I'm also including a s3.ninja local bucket for ease of debugging.

In order to authenticate and write to a local S3 bucket using pyarrow, we need to explicitly instantiate a fs.S3FileSystem object in order to set the endpoint_override parameter to the local bucket's IP address and listening port.

I've opted for using boto3 to handle reading the .aws/credentials file so as to be able to read a single profile's credentials as well.

As of right now, the logic for this lives within a function, but this should ideally be moved out to a class.

[f-galland]

The integration gets to upload a few parquet, but it then stops without exiting or throwing erros:

fede@tyner:~/src/wazuh-indexer/integrations/docker (logstash-pipe-output *)
$ docker logs wazuh.integration.security.lake 2>&1 | grep -i parquet
2024-02-27 17:43:01,215 Writing data to parquet file
2024-02-27 17:44:00,843 Writing data to parquet file
2024-02-27 17:44:02,874 Writing data to parquet file
2024-02-27 17:45:01,003 Writing data to parquet file
2024-02-27 17:45:03,037 Writing data to parquet file
2024-02-27 17:46:01,147 Writing data to parquet file
2024-02-27 17:46:03,176 Writing data to parquet file
2024-02-27 17:47:01,293 Writing data to parquet file
2024-02-27 17:47:03,350 Writing data to parquet file
2024-02-27 17:48:00,496 Writing data to parquet file
2024-02-27 17:48:02,535 Writing data to parquet file
2024-02-27 17:49:00,636 Writing data to parquet file
2024-02-27 17:49:02,676 Writing data to parquet file
2024-02-27 17:50:00,804 Writing data to parquet file
2024-02-27 17:50:02,843 Writing data to parquet file

Full output

[2024-02-27T17:42:28,366][INFO ][logstash.javapipeline    ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>16, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>2000, "pipeline.sources"=>["/usr/share/logstash/pipeline/indexer-to-integrator.conf"], :thread=>"#<Thread:0x1046f8ec /usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}
[2024-02-27T17:42:28,825][INFO ][logstash.javapipeline    ][main] Pipeline Java execution initialization time {"seconds"=>0.46}
[2024-02-27T17:42:29,151][INFO ][logstash.javapipeline    ][main] Pipeline started {"pipeline.id"=>"main"}
[2024-02-27T17:42:29,161][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2024-02-27T17:43:00,723][INFO ][logstash.outputs.pipe    ][main][securityLake] Opening pipe {:command=>"/usr/share/logstash/bin/run.py --pushinterval 10 --maxlength 30 --linebuffer 10 --sleeptime 1 --bucketname securitylake --s3endpoint s3.ninja:9000 --s3profile default"}
[2024-02-27T17:43:00,734][INFO ][logstash.outputs.pipe    ][main][securityLake] Starting stale pipes cleanup cycle {:pipes=>{"/usr/share/logstash/bin/run.py --pushinterval 10 --maxlength 30 --linebuffer 10 --sleeptime 1 --bucketname securitylake --s3endpoint s3.ninja:9000 --s3profile default"=>#<PipeWrapper:0x21f98019 @pipe=#<IO:fd 84>, @active=true>}}
2024-02-27 17:43:01,215 BUFFERING STDIN
2024-02-27 17:43:01,215 Writing data to parquet file
2024-02-27 17:43:01,216 Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2024-02-27 17:43:01,217 Changing event name from before-call.apigateway to before-call.api-gateway
2024-02-27 17:43:01,219 Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2024-02-27 17:43:01,220 Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2024-02-27 17:43:01,220 Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2024-02-27 17:43:01,221 Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2024-02-27 17:43:01,221 Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2024-02-27 17:43:01,223 Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2024-02-27 17:43:01,223 Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2024-02-27 17:43:01,223 Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2024-02-27 17:43:01,223 Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2024-02-27 17:43:01,223 Setting config variable for profile to 'default'
2024-02-27 17:43:01,225 IMDS ENDPOINT: http://169.254.169.254/
2024-02-27 17:43:01,226 Skipping environment variable credential check because profile name was explicitly set.
2024-02-27 17:43:01,226 Looking for credentials via: assume-role
2024-02-27 17:43:01,226 Looking for credentials via: assume-role-with-web-identity
2024-02-27 17:43:01,226 Looking for credentials via: sso
2024-02-27 17:43:01,226 Looking for credentials via: shared-credentials-file
2024-02-27 17:43:01,226 Found credentials in shared credentials file: ~/.aws/credentials
[2024-02-27T17:44:00,841][INFO ][logstash.outputs.pipe    ][main][securityLake] Starting stale pipes cleanup cycle {:pipes=>{"/usr/share/logstash/bin/run.py --pushinterval 10 --maxlength 30 --linebuffer 10 --sleeptime 1 --bucketname securitylake --s3endpoint s3.ninja:9000 --s3profile default"=>#<PipeWrapper:0x21f98019 @pipe=#<IO:fd 84>, @active=true>}}
2024-02-27 17:44:00,843 Writing data to parquet file
2024-02-27 17:44:00,844 Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2024-02-27 17:44:00,846 Changing event name from before-call.apigateway to before-call.api-gateway
2024-02-27 17:44:00,846 Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2024-02-27 17:44:00,847 Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2024-02-27 17:44:00,847 Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2024-02-27 17:44:00,848 Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2024-02-27 17:44:00,848 Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2024-02-27 17:44:00,850 Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2024-02-27 17:44:00,850 Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2024-02-27 17:44:00,850 Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2024-02-27 17:44:00,850 Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2024-02-27 17:44:00,850 Setting config variable for profile to 'default'
2024-02-27 17:44:00,852 IMDS ENDPOINT: http://169.254.169.254/
2024-02-27 17:44:00,852 Skipping environment variable credential check because profile name was explicitly set.
2024-02-27 17:44:00,852 Looking for credentials via: assume-role
2024-02-27 17:44:00,852 Looking for credentials via: assume-role-with-web-identity
2024-02-27 17:44:00,852 Looking for credentials via: sso
2024-02-27 17:44:00,852 Looking for credentials via: shared-credentials-file
2024-02-27 17:44:00,853 Found credentials in shared credentials file: ~/.aws/credentials
2024-02-27 17:44:02,874 Writing data to parquet file
2024-02-27 17:44:02,874 Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2024-02-27 17:44:02,876 Changing event name from before-call.apigateway to before-call.api-gateway
2024-02-27 17:44:02,877 Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2024-02-27 17:44:02,878 Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2024-02-27 17:44:02,878 Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2024-02-27 17:44:02,879 Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2024-02-27 17:44:02,879 Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2024-02-27 17:44:02,881 Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2024-02-27 17:44:02,881 Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2024-02-27 17:44:02,881 Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2024-02-27 17:44:02,882 Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2024-02-27 17:44:02,882 Setting config variable for profile to 'default'
2024-02-27 17:44:02,883 IMDS ENDPOINT: http://169.254.169.254/
2024-02-27 17:44:02,883 Skipping environment variable credential check because profile name was explicitly set.
2024-02-27 17:44:02,884 Looking for credentials via: assume-role
2024-02-27 17:44:02,884 Looking for credentials via: assume-role-with-web-identity
2024-02-27 17:44:02,884 Looking for credentials via: sso
2024-02-27 17:44:02,884 Looking for credentials via: shared-credentials-file
2024-02-27 17:44:02,884 Found credentials in shared credentials file: ~/.aws/credentials
[2024-02-27T17:45:01,002][INFO ][logstash.outputs.pipe    ][main][securityLake] Starting stale pipes cleanup cycle {:pipes=>{"/usr/share/logstash/bin/run.py --pushinterval 10 --maxlength 30 --linebuffer 10 --sleeptime 1 --bucketname securitylake --s3endpoint s3.ninja:9000 --s3profile default"=>#<PipeWrapper:0x21f98019 @pipe=#<IO:fd 84>, @active=true>}}
2024-02-27 17:45:01,003 Writing data to parquet file
2024-02-27 17:45:01,003 Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2024-02-27 17:45:01,005 Changing event name from before-call.apigateway to before-call.api-gateway
2024-02-27 17:45:01,005 Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2024-02-27 17:45:01,006 Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2024-02-27 17:45:01,006 Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2024-02-27 17:45:01,007 Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2024-02-27 17:45:01,007 Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2024-02-27 17:45:01,009 Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2024-02-27 17:45:01,009 Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2024-02-27 17:45:01,009 Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2024-02-27 17:45:01,009 Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2024-02-27 17:45:01,010 Setting config variable for profile to 'default'
2024-02-27 17:45:01,011 IMDS ENDPOINT: http://169.254.169.254/
2024-02-27 17:45:01,011 Skipping environment variable credential check because profile name was explicitly set.
2024-02-27 17:45:01,011 Looking for credentials via: assume-role
2024-02-27 17:45:01,012 Looking for credentials via: assume-role-with-web-identity
2024-02-27 17:45:01,012 Looking for credentials via: sso
2024-02-27 17:45:01,012 Looking for credentials via: shared-credentials-file
2024-02-27 17:45:01,012 Found credentials in shared credentials file: ~/.aws/credentials
2024-02-27 17:45:03,037 Writing data to parquet file
2024-02-27 17:45:03,038 Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2024-02-27 17:45:03,039 Changing event name from before-call.apigateway to before-call.api-gateway
2024-02-27 17:45:03,040 Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2024-02-27 17:45:03,041 Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2024-02-27 17:45:03,041 Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2024-02-27 17:45:03,041 Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2024-02-27 17:45:03,042 Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2024-02-27 17:45:03,043 Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2024-02-27 17:45:03,043 Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2024-02-27 17:45:03,043 Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2024-02-27 17:45:03,044 Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2024-02-27 17:45:03,044 Setting config variable for profile to 'default'
2024-02-27 17:45:03,045 IMDS ENDPOINT: http://169.254.169.254/
2024-02-27 17:45:03,046 Skipping environment variable credential check because profile name was explicitly set.
2024-02-27 17:45:03,046 Looking for credentials via: assume-role
2024-02-27 17:45:03,046 Looking for credentials via: assume-role-with-web-identity
2024-02-27 17:45:03,046 Looking for credentials via: sso
2024-02-27 17:45:03,046 Looking for credentials via: shared-credentials-file
2024-02-27 17:45:03,046 Found credentials in shared credentials file: ~/.aws/credentials
[2024-02-27T17:46:01,146][INFO ][logstash.outputs.pipe    ][main][securityLake] Starting stale pipes cleanup cycle {:pipes=>{"/usr/share/logstash/bin/run.py --pushinterval 10 --maxlength 30 --linebuffer 10 --sleeptime 1 --bucketname securitylake --s3endpoint s3.ninja:9000 --s3profile default"=>#<PipeWrapper:0x21f98019 @pipe=#<IO:fd 84>, @active=true>}}
2024-02-27 17:46:01,147 Writing data to parquet file
2024-02-27 17:46:01,148 Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2024-02-27 17:46:01,150 Changing event name from before-call.apigateway to before-call.api-gateway
2024-02-27 17:46:01,150 Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2024-02-27 17:46:01,151 Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2024-02-27 17:46:01,151 Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2024-02-27 17:46:01,152 Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2024-02-27 17:46:01,152 Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2024-02-27 17:46:01,154 Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2024-02-27 17:46:01,154 Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2024-02-27 17:46:01,154 Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2024-02-27 17:46:01,154 Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2024-02-27 17:46:01,154 Setting config variable for profile to 'default'
2024-02-27 17:46:01,155 IMDS ENDPOINT: http://169.254.169.254/
2024-02-27 17:46:01,156 Skipping environment variable credential check because profile name was explicitly set.
2024-02-27 17:46:01,156 Looking for credentials via: assume-role
2024-02-27 17:46:01,156 Looking for credentials via: assume-role-with-web-identity
2024-02-27 17:46:01,156 Looking for credentials via: sso
2024-02-27 17:46:01,156 Looking for credentials via: shared-credentials-file
2024-02-27 17:46:01,156 Found credentials in shared credentials file: ~/.aws/credentials
2024-02-27 17:46:03,176 Writing data to parquet file
2024-02-27 17:46:03,177 Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2024-02-27 17:46:03,178 Changing event name from before-call.apigateway to before-call.api-gateway
2024-02-27 17:46:03,179 Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2024-02-27 17:46:03,180 Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2024-02-27 17:46:03,180 Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2024-02-27 17:46:03,181 Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2024-02-27 17:46:03,182 Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2024-02-27 17:46:03,184 Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2024-02-27 17:46:03,184 Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2024-02-27 17:46:03,184 Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2024-02-27 17:46:03,184 Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2024-02-27 17:46:03,186 Setting config variable for profile to 'default'
2024-02-27 17:46:03,187 IMDS ENDPOINT: http://169.254.169.254/
2024-02-27 17:46:03,187 Skipping environment variable credential check because profile name was explicitly set.
2024-02-27 17:46:03,187 Looking for credentials via: assume-role
2024-02-27 17:46:03,187 Looking for credentials via: assume-role-with-web-identity
2024-02-27 17:46:03,187 Looking for credentials via: sso
2024-02-27 17:46:03,187 Looking for credentials via: shared-credentials-file
2024-02-27 17:46:03,188 Found credentials in shared credentials file: ~/.aws/credentials
[2024-02-27T17:47:01,292][INFO ][logstash.outputs.pipe    ][main][securityLake] Starting stale pipes cleanup cycle {:pipes=>{"/usr/share/logstash/bin/run.py --pushinterval 10 --maxlength 30 --linebuffer 10 --sleeptime 1 --bucketname securitylake --s3endpoint s3.ninja:9000 --s3profile default"=>#<PipeWrapper:0x21f98019 @pipe=#<IO:fd 84>, @active=true>}}
2024-02-27 17:47:01,293 Writing data to parquet file
2024-02-27 17:47:01,295 Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2024-02-27 17:47:01,299 Changing event name from before-call.apigateway to before-call.api-gateway
2024-02-27 17:47:01,302 Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2024-02-27 17:47:01,308 Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2024-02-27 17:47:01,308 Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2024-02-27 17:47:01,310 Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2024-02-27 17:47:01,311 Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2024-02-27 17:47:01,313 Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2024-02-27 17:47:01,313 Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2024-02-27 17:47:01,314 Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2024-02-27 17:47:01,314 Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2024-02-27 17:47:01,314 Setting config variable for profile to 'default'
2024-02-27 17:47:01,316 IMDS ENDPOINT: http://169.254.169.254/
2024-02-27 17:47:01,316 Skipping environment variable credential check because profile name was explicitly set.
2024-02-27 17:47:01,316 Looking for credentials via: assume-role
2024-02-27 17:47:01,316 Looking for credentials via: assume-role-with-web-identity
2024-02-27 17:47:01,316 Looking for credentials via: sso
2024-02-27 17:47:01,317 Looking for credentials via: shared-credentials-file
2024-02-27 17:47:01,317 Found credentials in shared credentials file: ~/.aws/credentials
2024-02-27 17:47:03,350 Writing data to parquet file
2024-02-27 17:47:03,351 Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2024-02-27 17:47:03,352 Changing event name from before-call.apigateway to before-call.api-gateway
2024-02-27 17:47:03,353 Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2024-02-27 17:47:03,355 Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2024-02-27 17:47:03,355 Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2024-02-27 17:47:03,355 Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2024-02-27 17:47:03,356 Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2024-02-27 17:47:03,359 Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2024-02-27 17:47:03,359 Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2024-02-27 17:47:03,359 Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2024-02-27 17:47:03,359 Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2024-02-27 17:47:03,359 Setting config variable for profile to 'default'
2024-02-27 17:47:03,360 IMDS ENDPOINT: http://169.254.169.254/
2024-02-27 17:47:03,361 Skipping environment variable credential check because profile name was explicitly set.
2024-02-27 17:47:03,362 Looking for credentials via: assume-role
2024-02-27 17:47:03,362 Looking for credentials via: assume-role-with-web-identity
2024-02-27 17:47:03,362 Looking for credentials via: sso
2024-02-27 17:47:03,362 Looking for credentials via: shared-credentials-file
2024-02-27 17:47:03,362 Found credentials in shared credentials file: ~/.aws/credentials
[2024-02-27T17:48:00,494][INFO ][logstash.outputs.pipe    ][main][securityLake] Starting stale pipes cleanup cycle {:pipes=>{"/usr/share/logstash/bin/run.py --pushinterval 10 --maxlength 30 --linebuffer 10 --sleeptime 1 --bucketname securitylake --s3endpoint s3.ninja:9000 --s3profile default"=>#<PipeWrapper:0x21f98019 @pipe=#<IO:fd 84>, @active=true>}}
2024-02-27 17:48:00,496 Writing data to parquet file
2024-02-27 17:48:00,496 Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2024-02-27 17:48:00,498 Changing event name from before-call.apigateway to before-call.api-gateway
2024-02-27 17:48:00,499 Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2024-02-27 17:48:00,500 Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2024-02-27 17:48:00,500 Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2024-02-27 17:48:00,501 Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2024-02-27 17:48:00,501 Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2024-02-27 17:48:00,503 Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2024-02-27 17:48:00,503 Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2024-02-27 17:48:00,503 Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2024-02-27 17:48:00,503 Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2024-02-27 17:48:00,504 Setting config variable for profile to 'default'
2024-02-27 17:48:00,505 IMDS ENDPOINT: http://169.254.169.254/
2024-02-27 17:48:00,506 Skipping environment variable credential check because profile name was explicitly set.
2024-02-27 17:48:00,506 Looking for credentials via: assume-role
2024-02-27 17:48:00,506 Looking for credentials via: assume-role-with-web-identity
2024-02-27 17:48:00,506 Looking for credentials via: sso
2024-02-27 17:48:00,506 Looking for credentials via: shared-credentials-file
2024-02-27 17:48:00,506 Found credentials in shared credentials file: ~/.aws/credentials
2024-02-27 17:48:02,535 Writing data to parquet file
2024-02-27 17:48:02,535 Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2024-02-27 17:48:02,536 Changing event name from before-call.apigateway to before-call.api-gateway
2024-02-27 17:48:02,537 Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2024-02-27 17:48:02,538 Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2024-02-27 17:48:02,538 Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2024-02-27 17:48:02,539 Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2024-02-27 17:48:02,539 Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2024-02-27 17:48:02,541 Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2024-02-27 17:48:02,541 Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2024-02-27 17:48:02,541 Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2024-02-27 17:48:02,541 Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2024-02-27 17:48:02,542 Setting config variable for profile to 'default'
2024-02-27 17:48:02,543 IMDS ENDPOINT: http://169.254.169.254/
2024-02-27 17:48:02,544 Skipping environment variable credential check because profile name was explicitly set.
2024-02-27 17:48:02,544 Looking for credentials via: assume-role
2024-02-27 17:48:02,544 Looking for credentials via: assume-role-with-web-identity
2024-02-27 17:48:02,544 Looking for credentials via: sso
2024-02-27 17:48:02,544 Looking for credentials via: shared-credentials-file
2024-02-27 17:48:02,544 Found credentials in shared credentials file: ~/.aws/credentials
[2024-02-27T17:49:00,634][INFO ][logstash.outputs.pipe    ][main][securityLake] Starting stale pipes cleanup cycle {:pipes=>{"/usr/share/logstash/bin/run.py --pushinterval 10 --maxlength 30 --linebuffer 10 --sleeptime 1 --bucketname securitylake --s3endpoint s3.ninja:9000 --s3profile default"=>#<PipeWrapper:0x21f98019 @pipe=#<IO:fd 84>, @active=true>}}
2024-02-27 17:49:00,636 Writing data to parquet file
2024-02-27 17:49:00,636 Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2024-02-27 17:49:00,637 Changing event name from before-call.apigateway to before-call.api-gateway
2024-02-27 17:49:00,638 Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2024-02-27 17:49:00,639 Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2024-02-27 17:49:00,639 Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2024-02-27 17:49:00,640 Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2024-02-27 17:49:00,641 Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2024-02-27 17:49:00,642 Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2024-02-27 17:49:00,643 Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2024-02-27 17:49:00,643 Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2024-02-27 17:49:00,643 Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2024-02-27 17:49:00,643 Setting config variable for profile to 'default'
2024-02-27 17:49:00,644 IMDS ENDPOINT: http://169.254.169.254/
2024-02-27 17:49:00,645 Skipping environment variable credential check because profile name was explicitly set.
2024-02-27 17:49:00,645 Looking for credentials via: assume-role
2024-02-27 17:49:00,645 Looking for credentials via: assume-role-with-web-identity
2024-02-27 17:49:00,646 Looking for credentials via: sso
2024-02-27 17:49:00,646 Looking for credentials via: shared-credentials-file
2024-02-27 17:49:00,646 Found credentials in shared credentials file: ~/.aws/credentials
2024-02-27 17:49:02,676 Writing data to parquet file
2024-02-27 17:49:02,676 Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2024-02-27 17:49:02,678 Changing event name from before-call.apigateway to before-call.api-gateway
2024-02-27 17:49:02,678 Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2024-02-27 17:49:02,679 Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2024-02-27 17:49:02,679 Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2024-02-27 17:49:02,680 Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2024-02-27 17:49:02,681 Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2024-02-27 17:49:02,683 Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2024-02-27 17:49:02,683 Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2024-02-27 17:49:02,683 Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2024-02-27 17:49:02,683 Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2024-02-27 17:49:02,685 Setting config variable for profile to 'default'
2024-02-27 17:49:02,687 IMDS ENDPOINT: http://169.254.169.254/
2024-02-27 17:49:02,687 Skipping environment variable credential check because profile name was explicitly set.
2024-02-27 17:49:02,687 Looking for credentials via: assume-role
2024-02-27 17:49:02,687 Looking for credentials via: assume-role-with-web-identity
2024-02-27 17:49:02,687 Looking for credentials via: sso
2024-02-27 17:49:02,687 Looking for credentials via: shared-credentials-file
2024-02-27 17:49:02,688 Found credentials in shared credentials file: ~/.aws/credentials
[2024-02-27T17:50:00,802][INFO ][logstash.outputs.pipe    ][main][securityLake] Starting stale pipes cleanup cycle {:pipes=>{"/usr/share/logstash/bin/run.py --pushinterval 10 --maxlength 30 --linebuffer 10 --sleeptime 1 --bucketname securitylake --s3endpoint s3.ninja:9000 --s3profile default"=>#<PipeWrapper:0x21f98019 @pipe=#<IO:fd 84>, @active=true>}}
2024-02-27 17:50:00,804 Writing data to parquet file
2024-02-27 17:50:00,804 Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2024-02-27 17:50:00,806 Changing event name from before-call.apigateway to before-call.api-gateway
2024-02-27 17:50:00,806 Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2024-02-27 17:50:00,807 Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2024-02-27 17:50:00,808 Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2024-02-27 17:50:00,808 Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2024-02-27 17:50:00,809 Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2024-02-27 17:50:00,811 Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2024-02-27 17:50:00,811 Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2024-02-27 17:50:00,812 Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2024-02-27 17:50:00,812 Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2024-02-27 17:50:00,812 Setting config variable for profile to 'default'
2024-02-27 17:50:00,813 IMDS ENDPOINT: http://169.254.169.254/
2024-02-27 17:50:00,814 Skipping environment variable credential check because profile name was explicitly set.
2024-02-27 17:50:00,814 Looking for credentials via: assume-role
2024-02-27 17:50:00,814 Looking for credentials via: assume-role-with-web-identity
2024-02-27 17:50:00,814 Looking for credentials via: sso
2024-02-27 17:50:00,814 Looking for credentials via: shared-credentials-file
2024-02-27 17:50:00,815 Found credentials in shared credentials file: ~/.aws/credentials
2024-02-27 17:50:02,843 Writing data to parquet file
2024-02-27 17:50:02,843 Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2024-02-27 17:50:02,844 Changing event name from before-call.apigateway to before-call.api-gateway
2024-02-27 17:50:02,845 Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2024-02-27 17:50:02,846 Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2024-02-27 17:50:02,846 Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2024-02-27 17:50:02,846 Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2024-02-27 17:50:02,847 Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2024-02-27 17:50:02,848 Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2024-02-27 17:50:02,848 Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2024-02-27 17:50:02,848 Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2024-02-27 17:50:02,848 Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2024-02-27 17:50:02,849 Setting config variable for profile to 'default'
2024-02-27 17:50:02,850 IMDS ENDPOINT: http://169.254.169.254/
2024-02-27 17:50:02,850 Skipping environment variable credential check because profile name was explicitly set.
2024-02-27 17:50:02,850 Looking for credentials via: assume-role
2024-02-27 17:50:02,850 Looking for credentials via: assume-role-with-web-identity
2024-02-27 17:50:02,850 Looking for credentials via: sso
2024-02-27 17:50:02,850 Looking for credentials via: shared-credentials-file
2024-02-27 17:50:02,851 Found credentials in shared credentials file: ~/.aws/credentials
2024-02-27 17:51:00,961 Writing data to parquet file
[2024-02-27T17:51:00,961][INFO ][logstash.outputs.pipe    ][main][securityLake] Starting stale pipes cleanup cycle {:pipes=>{"/usr/share/logstash/bin/run.py --pushinterval 10 --maxlength 30 --linebuffer 10 --sleeptime 1 --bucketname securitylake --s3endpoint s3.ninja:9000 --s3profile default"=>#<PipeWrapper:0x21f98019 @pipe=#<IO:fd 84>, @active=true>}}
2024-02-27 17:51:00,963 Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2024-02-27 17:51:00,964 Changing event name from before-call.apigateway to before-call.api-gateway
2024-02-27 17:51:00,965 Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2024-02-27 17:51:00,966 Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2024-02-27 17:51:00,966 Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2024-02-27 17:51:00,966 Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2024-02-27 17:51:00,967 Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2024-02-27 17:51:00,969 Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2024-02-27 17:51:00,969 Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2024-02-27 17:51:00,969 Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2024-02-27 17:51:00,969 Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2024-02-27 17:51:00,969 Setting config variable for profile to 'default'
2024-02-27 17:51:00,971 IMDS ENDPOINT: http://169.254.169.254/
2024-02-27 17:51:00,971 Skipping environment variable credential check because profile name was explicitly set.
2024-02-27 17:51:00,971 Looking for credentials via: assume-role
2024-02-27 17:51:00,971 Looking for credentials via: assume-role-with-web-identity
2024-02-27 17:51:00,971 Looking for credentials via: sso
2024-02-27 17:51:00,971 Looking for credentials via: shared-credentials-file
2024-02-27 17:51:00,971 Found credentials in shared credentials file: ~/.aws/credentials
2024-02-27 17:51:02,988 Writing data to parquet file
2024-02-27 17:51:02,989 Changing event name from creating-client-class.iot-data to creating-client-class.iot-data-plane
2024-02-27 17:51:02,990 Changing event name from before-call.apigateway to before-call.api-gateway
2024-02-27 17:51:02,991 Changing event name from request-created.machinelearning.Predict to request-created.machine-learning.Predict
2024-02-27 17:51:02,992 Changing event name from before-parameter-build.autoscaling.CreateLaunchConfiguration to before-parameter-build.auto-scaling.CreateLaunchConfiguration
2024-02-27 17:51:02,992 Changing event name from before-parameter-build.route53 to before-parameter-build.route-53
2024-02-27 17:51:02,993 Changing event name from request-created.cloudsearchdomain.Search to request-created.cloudsearch-domain.Search
2024-02-27 17:51:02,993 Changing event name from docs.*.autoscaling.CreateLaunchConfiguration.complete-section to docs.*.auto-scaling.CreateLaunchConfiguration.complete-section
2024-02-27 17:51:02,995 Changing event name from before-parameter-build.logs.CreateExportTask to before-parameter-build.cloudwatch-logs.CreateExportTask
2024-02-27 17:51:02,995 Changing event name from docs.*.logs.CreateExportTask.complete-section to docs.*.cloudwatch-logs.CreateExportTask.complete-section
2024-02-27 17:51:02,995 Changing event name from before-parameter-build.cloudsearchdomain.Search to before-parameter-build.cloudsearch-domain.Search
2024-02-27 17:51:02,995 Changing event name from docs.*.cloudsearchdomain.Search.complete-section to docs.*.cloudsearch-domain.Search.complete-section
2024-02-27 17:51:02,995 Setting config variable for profile to 'default'
2024-02-27 17:51:02,997 IMDS ENDPOINT: http://169.254.169.254/
2024-02-27 17:51:02,998 Skipping environment variable credential check because profile name was explicitly set.
2024-02-27 17:51:02,998 Looking for credentials via: assume-role
2024-02-27 17:51:02,998 Looking for credentials via: assume-role-with-web-identity
2024-02-27 17:51:02,998 Looking for credentials via: sso
2024-02-27 17:51:02,998 Looking for credentials via: shared-credentials-file
2024-02-27 17:51:02,998 Found credentials in shared credentials file: ~/.aws/credentials

The files that get to be uploaded seem ok:

wazuh-2024-02-27_17.43.01.parquet

+---------------+-----------------+----------------+-------------------+-------------+-------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------+--------------+---------------+-------------+------------------------------+------------+------------------------------------------------------------------------------------+
|   activity_id | category_name   |   category_uid | class_name        |   class_uid | message                                         | finding_info                                                                                                                                                                                                                                                                    | metadata                                                                                                                                                | resources                                                            |   risk_score |   severity_id |   status_id | time                         |   type_uid | unmapped                                                                           |
|---------------+-----------------+----------------+-------------------+-------------+-------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------+--------------+---------------+-------------+------------------------------+------------+------------------------------------------------------------------------------------|
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/bash                  | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/bash', 'types': array([0]), 'uid': '1580123327.49031'}            | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Amazon', 'uid': '002'}]                                   |            3 |             3 |          99 | 2024-02-27T17:52:13.095+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/sh                    | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sh', 'types': array([0]), 'uid': '1580123327.49031'}              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Amazon', 'uid': '002'}]                                   |            3 |             3 |          99 | 2024-02-27T17:52:28.547+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/ssh                   | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/ssh', 'types': array([0]), 'uid': '1580123327.49031'}             | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Centos', 'uid': '005'}]                                   |            3 |             3 |          99 | 2024-02-27T17:52:45.084+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/bash                  | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/bash', 'types': array([0]), 'uid': '1580123327.49031'}            | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             3 |          99 | 2024-02-27T17:52:11.036+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh,rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array([0]), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Amazon', 'uid': '002'}]                                   |            7 |             7 |          99 | 2024-02-27T17:52:30.618+0000 |     200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object)}              |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/sudo                  | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sudo', 'types': array([0]), 'uid': '1580123327.49031'}            | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Amazon', 'uid': '002'}]                                   |            3 |             3 |          99 | 2024-02-27T17:52:47.150+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/bash                  | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/bash', 'types': array([0]), 'uid': '1580123327.49031'}            | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            3 |             3 |          99 | 2024-02-27T17:52:10.002+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh,rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array([0]), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            7 |             7 |          99 | 2024-02-27T17:52:29.582+0000 |     200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object)}              |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/grep                  | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/grep', 'types': array([0]), 'uid': '1580123327.49031'}            | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'RHEL7', 'uid': '001'}]                                    |            3 |             3 |          99 | 2024-02-27T17:52:46.117+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh,rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array([0]), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Windows', 'uid': '006'}]                                  |            7 |             7 |          99 | 2024-02-27T17:52:14.130+0000 |     200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object)}              |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/ssh                   | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/ssh', 'types': array([0]), 'uid': '1580123327.49031'}             | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            3 |             3 |          99 | 2024-02-27T17:52:31.652+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/bash                  | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/bash', 'types': array([0]), 'uid': '1580123327.49031'}            | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            3 |             3 |          99 | 2024-02-27T17:52:48.183+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Sample alert 2                                  | {'analytic': {'category': 'ciscat', 'type_id': 1, 'uid': '684'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Sample alert 2', 'types': array([0]), 'uid': '1580123327.49031'}                                           | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Windows', 'uid': '006'}]                                  |            8 |             8 |          99 | 2024-02-27T17:52:12.069+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/crond                 | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/crond', 'types': array([0]), 'uid': '1580123327.49031'}           | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             3 |          99 | 2024-02-27T17:52:32.690+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Sample alert 4                                  | {'analytic': {'category': 'ciscat', 'type_id': 1, 'uid': '188'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Sample alert 4', 'types': array([0]), 'uid': '1580123327.49031'}                                           | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            6 |             6 |          99 | 2024-02-27T17:52:49.217+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh,rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array([0]), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'RHEL7', 'uid': '001'}]                                    |            7 |             7 |          99 | 2024-02-27T17:52:00.721+0000 |     200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object)}              |
|             1 | Findings        |              2 | Detection Finding |        2004 | Sample alert 5                                  | {'analytic': {'category': 'ciscat', 'type_id': 1, 'uid': '2835'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Sample alert 5', 'types': array([0]), 'uid': '1580123327.49031'}                                          | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            4 |             4 |          99 | 2024-02-27T17:52:17.204+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/sudo                  | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sudo', 'types': array([0]), 'uid': '1580123327.49031'}            | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             3 |          99 | 2024-02-27T17:52:33.724+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/bash                  | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/bash', 'types': array([0]), 'uid': '1580123327.49031'}            | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             3 |          99 | 2024-02-27T17:52:50.242+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/ssh                   | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/ssh', 'types': array([0]), 'uid': '1580123327.49031'}             | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             3 |          99 | 2024-02-27T17:52:07.942+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/hostname              | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/hostname', 'types': array([0]), 'uid': '1580123327.49031'}        | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             3 |          99 | 2024-02-27T17:52:22.357+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/id                    | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/id', 'types': array([0]), 'uid': '1580123327.49031'}              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'RHEL7', 'uid': '001'}]                                    |            3 |             3 |          99 | 2024-02-27T17:52:35.791+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/grep                  | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/grep', 'types': array([0]), 'uid': '1580123327.49031'}            | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'RHEL7', 'uid': '001'}]                                    |            3 |             3 |          99 | 2024-02-27T17:52:52.298+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh,rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array([0]), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            7 |             7 |          99 | 2024-02-27T17:52:04.858+0000 |     200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object)}              |
|             1 | Findings        |              2 | Detection Finding |        2004 | CVE-2018-6485 affects libc-bin                  | {'analytic': {'category': 'vulnerability-detector', 'type_id': 1, 'uid': '23506'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'CVE-2018-6485 affects libc-bin', 'types': array([0]), 'uid': '1580123327.49031'}         | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Ubuntu', 'uid': '004'}]                                   |           13 |            13 |          99 | 2024-02-27T17:52:25.451+0000 |     200401 | {'data_sources': array(['vulnerability-detector', 'wazuh-manager'], dtype=object)} |
|             1 | Findings        |              2 | Detection Finding |        2004 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh,rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array([0]), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Debian', 'uid': '007'}]                                   |            7 |             7 |          99 | 2024-02-27T17:52:34.758+0000 |     200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object)}              |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/sh                    | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sh', 'types': array([0]), 'uid': '1580123327.49031'}              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Amazon', 'uid': '002'}]                                   |            3 |             3 |          99 | 2024-02-27T17:52:51.264+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/sudo                  | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sudo', 'types': array([0]), 'uid': '1580123327.49031'}            | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'RHEL7', 'uid': '001'}]                                    |            3 |             3 |          99 | 2024-02-27T17:52:01.757+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/hostname              | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/hostname', 'types': array([0]), 'uid': '1580123327.49031'}        | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             3 |          99 | 2024-02-27T17:52:21.322+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/ls                    | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/ls', 'types': array([0]), 'uid': '1580123327.49031'}              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Centos', 'uid': '005'}]                                   |            3 |             3 |          99 | 2024-02-27T17:52:36.825+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/ls                    | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/ls', 'types': array([0]), 'uid': '1580123327.49031'}              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            3 |             3 |          99 | 2024-02-27T17:52:53.330+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/sudo                  | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sudo', 'types': array([0]), 'uid': '1580123327.49031'}            | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             3 |          99 | 2024-02-27T17:52:05.893+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/crond                 | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/crond', 'types': array([0]), 'uid': '1580123327.49031'}           | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            3 |             3 |          99 | 2024-02-27T17:52:18.229+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/bash                  | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/bash', 'types': array([0]), 'uid': '1580123327.49031'}            | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            3 |             3 |          99 | 2024-02-27T17:52:37.858+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/id                    | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/id', 'types': array([0]), 'uid': '1580123327.49031'}              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             3 |          99 | 2024-02-27T17:52:54.364+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/bash                  | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/bash', 'types': array([0]), 'uid': '1580123327.49031'}            | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             3 |          99 | 2024-02-27T17:52:03.824+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/bash                  | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/bash', 'types': array([0]), 'uid': '1580123327.49031'}            | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             3 |          99 | 2024-02-27T17:52:24.416+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/crond                 | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/crond', 'types': array([0]), 'uid': '1580123327.49031'}           | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Amazon', 'uid': '002'}]                                   |            3 |             3 |          99 | 2024-02-27T17:52:38.892+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/sh                    | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sh', 'types': array([0]), 'uid': '1580123327.49031'}              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            3 |             3 |          99 | 2024-02-27T17:52:55.398+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh,rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array([0]), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Debian', 'uid': '007'}]                                   |            7 |             7 |          99 | 2024-02-27T17:52:02.790+0000 |     200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object)}              |
+---------------+-----------------+----------------+-------------------+-------------+-------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------+--------------+---------------+-------------+------------------------------+------------+------------------------------------------------------------------------------------+

wazuh-2024-02-27_17.42.00.parquet

+---------------+-----------------+----------------+-------------------+-------------+-------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------+--------------+---------------+-------------+------------------------------+------------+------------------------------------------------------------------------------------+
|   activity_id | category_name   |   category_uid | class_name        |   class_uid | message                                         | finding_info                                                                                                                                                                                                                                                                    | metadata                                                                                                                                                | resources                                                            |   risk_score |   severity_id |   status_id | time                         |   type_uid | unmapped                                                                           |
|---------------+-----------------+----------------+-------------------+-------------+-------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------+--------------+---------------+-------------+------------------------------+------------+------------------------------------------------------------------------------------|
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/ssh                   | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/ssh', 'types': array([0]), 'uid': '1580123327.49031'}             | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'RHEL7', 'uid': '001'}]                                    |            3 |             3 |          99 | 2024-02-27T17:41:27.972+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/sudo                  | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sudo', 'types': array([0]), 'uid': '1580123327.49031'}            | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             3 |          99 | 2024-02-27T17:41:44.556+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/sh                    | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sh', 'types': array([0]), 'uid': '1580123327.49031'}              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            3 |             3 |          99 | 2024-02-27T17:41:13.527+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/consoletype           | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/consoletype', 'types': array([0]), 'uid': '1580123327.49031'}     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Centos', 'uid': '005'}]                                   |            3 |             3 |          99 | 2024-02-27T17:41:30.030+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh,rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array([0]), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            7 |             7 |          99 | 2024-02-27T17:41:46.624+0000 |     200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object)}              |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/bash                  | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/bash', 'types': array([0]), 'uid': '1580123327.49031'}            | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'RHEL7', 'uid': '001'}]                                    |            3 |             3 |          99 | 2024-02-27T17:41:15.602+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/hostname              | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/hostname', 'types': array([0]), 'uid': '1580123327.49031'}        | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            3 |             3 |          99 | 2024-02-27T17:41:32.098+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/id                    | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/id', 'types': array([0]), 'uid': '1580123327.49031'}              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'RHEL7', 'uid': '001'}]                                    |            3 |             3 |          99 | 2024-02-27T17:41:48.692+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/consoletype           | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/consoletype', 'types': array([0]), 'uid': '1580123327.49031'}     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             3 |          99 | 2024-02-27T17:41:16.628+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh,rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array([0]), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'RHEL7', 'uid': '001'}]                                    |            7 |             7 |          99 | 2024-02-27T17:41:33.124+0000 |     200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object)}              |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/id                    | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/id', 'types': array([0]), 'uid': '1580123327.49031'}              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            3 |             3 |          99 | 2024-02-27T17:41:49.727+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/ssh                   | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/ssh', 'types': array([0]), 'uid': '1580123327.49031'}             | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Centos', 'uid': '005'}]                                   |            3 |             3 |          99 | 2024-02-27T17:41:18.697+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh,rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array([0]), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'RHEL7', 'uid': '001'}]                                    |            7 |             7 |          99 | 2024-02-27T17:41:35.193+0000 |     200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object)}              |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/ssh                   | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/ssh', 'types': array([0]), 'uid': '1580123327.49031'}             | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Amazon', 'uid': '002'}]                                   |            3 |             3 |          99 | 2024-02-27T17:41:51.789+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh,rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array([0]), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            7 |             7 |          99 | 2024-02-27T17:41:12.491+0000 |     200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object)}              |
|             1 | Findings        |              2 | Detection Finding |        2004 | CVE-2018-7738 affects mount                     | {'analytic': {'category': 'vulnerability-detector', 'type_id': 1, 'uid': '23505'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'CVE-2018-7738 affects mount', 'types': array([0]), 'uid': '1580123327.49031'}            | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Amazon', 'uid': '002'}]                                   |           10 |            10 |          99 | 2024-02-27T17:41:29.006+0000 |     200401 | {'data_sources': array(['vulnerability-detector', 'wazuh-manager'], dtype=object)} |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/sh                    | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sh', 'types': array([0]), 'uid': '1580123327.49031'}              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            3 |             3 |          99 | 2024-02-27T17:41:45.589+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh,rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array([0]), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Windows', 'uid': '006'}]                                  |            7 |             7 |          99 | 2024-02-27T17:41:17.662+0000 |     200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object)}              |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/sh                    | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sh', 'types': array([0]), 'uid': '1580123327.49031'}              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            3 |             3 |          99 | 2024-02-27T17:41:34.148+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/ssh                   | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/ssh', 'types': array([0]), 'uid': '1580123327.49031'}             | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            3 |             3 |          99 | 2024-02-27T17:41:50.762+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/consoletype           | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/consoletype', 'types': array([0]), 'uid': '1580123327.49031'}     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Amazon', 'uid': '002'}]                                   |            3 |             3 |          99 | 2024-02-27T17:41:14.577+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/bash                  | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/bash', 'types': array([0]), 'uid': '1580123327.49031'}            | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Amazon', 'uid': '002'}]                                   |            3 |             3 |          99 | 2024-02-27T17:41:31.065+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/ls                    | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/ls', 'types': array([0]), 'uid': '1580123327.49031'}              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Amazon', 'uid': '002'}]                                   |            3 |             3 |          99 | 2024-02-27T17:41:47.658+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/grep                  | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/grep', 'types': array([0]), 'uid': '1580123327.49031'}            | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            3 |             3 |          99 | 2024-02-27T17:41:19.733+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh,rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array([0]), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Amazon', 'uid': '002'}]                                   |            7 |             7 |          99 | 2024-02-27T17:41:36.229+0000 |     200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object)}              |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/consoletype           | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/consoletype', 'types': array([0]), 'uid': '1580123327.49031'}     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            3 |             3 |          99 | 2024-02-27T17:41:52.823+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/id                    | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/id', 'types': array([0]), 'uid': '1580123327.49031'}              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'RHEL7', 'uid': '001'}]                                    |            3 |             3 |          99 | 2024-02-27T17:41:21.804+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/hostname              | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/hostname', 'types': array([0]), 'uid': '1580123327.49031'}        | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'RHEL7', 'uid': '001'}]                                    |            3 |             3 |          99 | 2024-02-27T17:41:38.317+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/ls                    | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/ls', 'types': array([0]), 'uid': '1580123327.49031'}              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'RHEL7', 'uid': '001'}]                                    |            3 |             3 |          99 | 2024-02-27T17:41:54.892+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Host-based anomaly detection event (rootcheck). | {'analytic': {'category': 'wazuh,rootcheck', 'type_id': 1, 'uid': '510'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Host-based anomaly detection event (rootcheck).', 'types': array([0]), 'uid': '1580123327.49031'} | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Ubuntu', 'uid': '004'}]                                   |            7 |             7 |          99 | 2024-02-27T17:41:22.836+0000 |     200401 | {'data_sources': array(['rootcheck', 'wazuh-manager'], dtype=object)}              |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/bash                  | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/bash', 'types': array([0]), 'uid': '1580123327.49031'}            | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Windows', 'uid': '006'}]                                  |            3 |             3 |          99 | 2024-02-27T17:41:39.367+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/bash                  | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/bash', 'types': array([0]), 'uid': '1580123327.49031'}            | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             3 |          99 | 2024-02-27T17:41:55.927+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/ls                    | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/ls', 'types': array([0]), 'uid': '1580123327.49031'}              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            3 |             3 |          99 | 2024-02-27T17:41:20.768+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/grep                  | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/grep', 'types': array([0]), 'uid': '1580123327.49031'}            | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'RHEL7', 'uid': '001'}]                                    |            3 |             3 |          99 | 2024-02-27T17:41:37.267+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/grep                  | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80791'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/grep', 'types': array([0]), 'uid': '1580123327.49031'}            | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'RHEL7', 'uid': '001'}]                                    |            3 |             3 |          99 | 2024-02-27T17:41:53.858+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/sh                    | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80790'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sh', 'types': array([0]), 'uid': '1580123327.49031'}              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Centos', 'uid': '005'}]                                   |            3 |             3 |          99 | 2024-02-27T17:41:23.867+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Sample alert 2                                  | {'analytic': {'category': 'ciscat', 'type_id': 1, 'uid': '2761'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Sample alert 2', 'types': array([0]), 'uid': '1580123327.49031'}                                          | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Centos', 'uid': '005'}]                                   |            4 |             4 |          99 | 2024-02-27T17:41:40.417+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/consoletype           | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/consoletype', 'types': array([0]), 'uid': '1580123327.49031'}     | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'ip-10-0-0-180.us-west-1.compute.internal', 'uid': '003'}] |            3 |             3 |          99 | 2024-02-27T17:41:56.951+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/sudo                  | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/sudo', 'types': array([0]), 'uid': '1580123327.49031'}            | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Centos', 'uid': '005'}]                                   |            3 |             3 |          99 | 2024-02-27T17:41:25.925+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
|             1 | Findings        |              2 | Detection Finding |        2004 | Audit: Command: /usr/sbin/ls                    | {'analytic': {'category': 'audit,audit_command', 'type_id': 1, 'uid': '80784'}, 'attacks': {'tactic': {'dummy': True}, 'technique': {'dummy': True}, 'version': 'v13.1'}, 'title': 'Audit: Command: /usr/sbin/ls', 'types': array([0]), 'uid': '1580123327.49031'}              | {'log_name': 'Security events', 'log_provider': 'Wazuh', 'product': {'lang': 'en', 'name': 'Wazuh', 'vendor_name': 'Wazuh, Inc,.'}, 'version': '1.1.0'} | [{'name': 'Debian', 'uid': '007'}]                                   |            3 |             3 |          99 | 2024-02-27T17:41:42.488+0000 |     200401 | {'data_sources': array(['', 'wazuh-manager'], dtype=object)}                       |
+---------------+-----------------+----------------+-------------------+-------------+-------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------+--------------+---------------+-------------+------------------------------+------------+------------------------------------------------------------------------------------+

[f-galland]

The current date (used for the files' timestamps) was being evaluated at the begging of the main block and not within the loop.
Moving it to the appropriate spot now generates files properly.

[AlexRuiz7]

Latest update on #186 (comment)