diff --git a/.github/ISSUE_TEMPLATE/operational--integrations_maintenance_request.md b/.github/ISSUE_TEMPLATE/operational--integrations_maintenance_request.md deleted file mode 100644 index b30b55fe77e5d..0000000000000 --- a/.github/ISSUE_TEMPLATE/operational--integrations_maintenance_request.md +++ /dev/null @@ -1,30 +0,0 @@ ---- -name: Integrations maintenance request -about: Used by the Indexer team to maintain third-party software integrations and track the results. -title: Integrations maintenance request -labels: level/task, request/operational, type/maintenance -assignees: "" ---- - -## Description - -The Wazuh Indexer team is responsible for the maintenance of the third-party integrations hosted in the wazuh/wazuh-indexer repository. We must ensure these integrations work under new releases of the third-party software (Splunk, Elastic, Logstash, …) and our own. - -For that, we need to: - -- [ ] Create a pull request that upgrades the components to the latest version. -- [ ] Update our testing environments to verify the integrations work under new versions. -- [ ] Test the integrations, checking that: - - The Docker Compose project starts without errors. - - The data arrives to the destination. - - All the dashboards can be imported successfully. - - All the dashboards are populated with data. -- [ ] Finally, upgrade the compatibility matrix in integrations/README.md with the new versions. - -> [!NOTE] -> * For Logstash, we use the logstash-oss image. -> * For Wazuh Indexer and Wazuh Dashboard, we use the opensearch and opensearch-dashboards images. These must match the opensearch version that we support (e.g: for Wazuh 4.9.0 it is OpenSearch 2.13.0). - -## Issues - -- _List here the detected issues_ diff --git a/.github/workflows/generate-ecs-mappings.yml b/.github/workflows/generate-ecs-mappings.yml deleted file mode 100644 index f328c6d79c094..0000000000000 --- a/.github/workflows/generate-ecs-mappings.yml +++ /dev/null @@ -1,48 +0,0 @@ -name: ECS Generator - -on: - push: - paths: - - "ecs/**/*.json" - - "ecs/**/*.yml" - -jobs: - run-ecs-generator: - if: github.repository == 'wazuh/wazuh-indexer' - runs-on: ubuntu-24.04 - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - fetch-depth: 2 - - - name: Extract branch name - shell: bash - run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT - id: branch-name - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Set up Docker Compose - run: sudo apt-get install docker-compose - - - name: Generate PR to wazuh-indexer-plugins - id: generate-pr - env: - GITHUB_TOKEN: ${{ secrets.ACTION_TOKEN }} - COMMITER_EMAIL: ${{ secrets.INDEXER_BOT_EMAIL }} - COMMITTER_USERNAME: "Wazuh Indexer Bot" - SSH_PRIVATE_KEY: ${{ secrets.INDEXER_BOT_PRIVATE_SSH_KEY }} - SSH_PUBLIC_KEY: ${{ secrets.INDEXER_BOT_PUBLIC_SSH_KEY }} - run: | - bash ecs/scripts/generate-pr-to-plugins.sh \ - -b ${{ steps.branch-name.outputs.branch }} \ - -o ecs-templates - - - name: Upload artifact - uses: actions/upload-artifact@v4 - with: - name: ecs-templates - path: "ecs-templates" diff --git a/README.md b/README.md index 95c6fea8fa1d0..3fbf64979dbc6 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,6 @@ [![GHA precommit](https://github.com/opensearch-project/OpenSearch/actions/workflows/precommit.yml/badge.svg)](https://github.com/opensearch-project/OpenSearch/actions/workflows/precommit.yml) [![Jenkins gradle check job](https://img.shields.io/jenkins/build?jobUrl=https%3A%2F%2Fbuild.ci.opensearch.org%2Fjob%2Fgradle-check%2F&label=Jenkins%20Gradle%20Check)](https://build.ci.opensearch.org/job/gradle-check/) [![Build packages](https://github.com/wazuh/wazuh-indexer/actions/workflows/build.yml/badge.svg)](https://github.com/wazuh/wazuh-indexer/actions/workflows/build.yml) -[![ECS Generator](https://github.com/wazuh/wazuh-indexer/actions/workflows/generate-ecs-mappings.yml/badge.svg)](https://github.com/wazuh/wazuh-indexer/actions/workflows/generate-ecs-mappings.yml) - [Welcome!](#welcome) diff --git a/ecs/.gitignore b/ecs/.gitignore deleted file mode 100644 index a8047fcd2d67d..0000000000000 --- a/ecs/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -**/mappings -*.log -generatedData.json \ No newline at end of file diff --git a/ecs/README.md b/ecs/README.md deleted file mode 100644 index cd4e4b64dc11c..0000000000000 --- a/ecs/README.md +++ /dev/null @@ -1,128 +0,0 @@ -## ECS mappings generator - -This script generates the ECS mappings for the Wazuh indices. - -### Requirements - -- [Docker Compose](https://docs.docker.com/compose/install/) - -### Folder structure - -There is a folder for each module. Inside each folder, there is a `fields` folder with the required files to generate the mappings. These are the inputs for the ECS generator. - -### Usage - -1. Execute the mapping-generator tool - ```bash - bash ecs/generator/mapping-generator.sh run - ``` -2. (Optional) Run the tool's cleanup - > The tool stops the container automatically, but it is recommended to run the down command if the tool is not going to be used anymore. - ```bash - bash ecs/generator/mapping-generator.sh down - ``` - -### Output - -A new `mappings` folder will be created inside the module folder, containing all the generated files. -The files are versioned using the ECS version, so different versions of the same module can be generated. -For our use case, the most important files are under `mappings//generated/elasticsearch/legacy/`: - -- `template.json`: Elasticsearch compatible index template for the module -- `opensearch-template.json`: OpenSearch compatible index template for the module - -The original output is `template.json`, which is not compatible with OpenSearch by default. -In order to make this template compatible with OpenSearch, the following changes are made: - -- The `order` property is renamed to `priority`. -- The `mappings` and `settings` properties are nested under the `template` property. - -The script takes care of these changes automatically, generating the `opensearch-template.json` file as a result. - -### Upload - -You can either upload the index template using cURL or the UI (dev tools). - -```bash -curl -u admin:admin -k -X PUT "https://indexer:9200/_index_template/wazuh-states-vulnerabilities" -H "Content-Type: application/json" -d @opensearch-template.json -``` - -Notes: -- PUT and POST are interchangeable. -- The name of the index template does not matter. Any name can be used. -- Adjust credentials and URL accordingly. - -### Adding new mappings - -The easiest way to create mappings for a new module is to take a previous one as a base. -Copy a folder and rename it to the new module name. Then, edit the `fields` files to match the new module fields. - -The name of the folder will be the name of the module to be passed to the script. All 3 files are required. - -- `fields/subset.yml`: This file contains the subset of ECS fields to be used for the module. -- `fields/template-settings-legacy.json`: This file contains the legacy template settings for the module. -- `fields/template-settings.json`: This file contains the composable template settings for the module. - -### Event generator - -Each module contains a Python script to generate events for its module. The script prompts for the required parameters, so it can be launched without arguments: - -```bash -./event_generator.py -``` - -The script will generate a JSON file with the events, and will also ask whether to upload them to the indexer. If the upload option is selected, the script will ask for the indexer URL and port, credentials, and index name. -The script uses log file. Check it out for debugging or additional information. - ---- - -### Automatic PR creation tool - -The `generate-pr-to-plugins.sh` script found in the `ecs/scripts` folder is a tool that detects modified ECS modules, generates new templates, commits the changes to a target repository, and creates or updates a pull request. - -#### Requirements - -- Docker Compose -- GitHub CLI (`gh`) - -#### Usage - -To use the script, run the following command: - -```sh -./update-ecs-templates.sh -t -``` - -**Options** - -- `-b `: (Optional) Branch name to create or update the pull request. Default is current branch. -- `-t `: (Optional) GitHub token to authenticate with the GitHub API. If not provided, the script will use the `GITHUB_TOKEN` environment variable. - -#### Script Workflow - -1. **Validate Dependencies** - - Checks if the required commands (`docker`, `docker-compose`, and `gh`) are installed. - -2. **Detect Modified Modules** - - Fetches and extracts modified ECS modules by comparing the current branch with the base branch. - - Identifies relevant ECS modules that have been modified. - -3. **Run ECS Generator** - - Runs the ECS generator script for each relevant module to generate new ECS templates. - -4. **Clone Target Repository** - - Clones the target repository (`wazuh/wazuh-indexer-plugins`) if it does not already exist. - - Configures Git and GitHub CLI with the provided GitHub token. - -5. **Commit and Push Changes** - - Copies the generated ECS templates to the appropriate directory in the target repository. - - Commits and pushes the changes to the specified branch. - -6. **Create or Update Pull Request** - - Creates a new pull request or updates an existing pull request with the modified ECS templates. - -#### References - -- [ECS repository](https://github.com/elastic/ecs) -- [ECS usage](https://github.com/elastic/ecs/blob/main/USAGE.md) -- [ECS field reference](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html) diff --git a/ecs/agent/event-generator/event_generator.py b/ecs/agent/event-generator/event_generator.py deleted file mode 100644 index 32743e2665c79..0000000000000 --- a/ecs/agent/event-generator/event_generator.py +++ /dev/null @@ -1,182 +0,0 @@ -#!/bin/python3 - -import datetime -import json -import logging -import random -import requests -import urllib3 - -# Constants and Configuration -LOG_FILE = 'generate_data.log' -GENERATED_DATA_FILE = 'generatedData.json' -DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" -# Default values -INDEX_NAME = "wazuh-agents" -USERNAME = "admin" -PASSWORD = "admin" -IP = "127.0.0.1" -PORT = "9200" - -# Configure logging -logging.basicConfig(filename=LOG_FILE, level=logging.INFO) - -# Suppress warnings -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - - -def generate_random_date(): - start_date = datetime.datetime.now() - end_date = start_date - datetime.timedelta(days=10) - random_date = start_date + (end_date - start_date) * random.random() - return random_date.strftime(DATE_FORMAT) - - -def generate_random_agent(): - agent = { - 'id': f'agent{random.randint(0, 99)}', - 'name': f'Agent{random.randint(0, 99)}', - 'type': random.choice(['filebeat', 'windows', 'linux', 'macos']), - 'version': f'v{random.randint(0, 9)}-stable', - 'status': random.choice(['active', 'inactive']), - 'last_login': generate_random_date(), - 'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'], - 'key': f'key{random.randint(0, 999)}', - 'host': generate_random_host() - } - return agent - - -def generate_random_host(): - family = random.choice( - ['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']) - version = f'{random.randint(0, 99)}.{random.randint(0, 99)}' - host = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'boot': { - 'id': f'boot{random.randint(0, 9999)}' - }, - 'cpu': { - 'usage': random.uniform(0, 100) - }, - 'disk': { - 'read': { - 'bytes': random.randint(0, 1000000) - }, - 'write': { - 'bytes': random.randint(0, 1000000) - } - }, - 'domain': f'domain{random.randint(0, 999)}', - 'geo': { - 'city_name': random.choice(['San Francisco', 'New York', 'Berlin', 'Tokyo']), - 'continent_code': random.choice(['NA', 'EU', 'AS']), - 'continent_name': random.choice(['North America', 'Europe', 'Asia']), - 'country_iso_code': random.choice(['US', 'DE', 'JP']), - 'country_name': random.choice(['United States', 'Germany', 'Japan']), - 'location': { - 'lat': round(random.uniform(-90.0, 90.0), 6), - 'lon': round(random.uniform(-180.0, 180.0), 6) - }, - 'name': f'geo{random.randint(0, 999)}', - 'postal_code': f'{random.randint(10000, 99999)}', - 'region_iso_code': f'region{random.randint(0, 999)}', - 'region_name': f'Region {random.randint(0, 999)}', - 'timezone': random.choice(['PST', 'EST', 'CET', 'JST']) - }, - 'hostname': f'host{random.randint(0, 9999)}', - 'id': f'hostid{random.randint(0, 9999)}', - 'ip': f'{random.randint(1, 255)}.{random.randint(1, 255)}.{random.randint(1, 255)}.{random.randint(1, 255)}', - 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', - 'name': f'hostname{random.randint(0, 9999)}', - 'network': { - 'egress': { - 'bytes': random.randint(0, 1000000), - 'packets': random.randint(0, 1000000) - }, - 'ingress': { - 'bytes': random.randint(0, 1000000), - 'packets': random.randint(0, 1000000) - } - }, - 'os': { - 'family': family, - 'full': f'{family} {version}', - 'kernel': f'kernel{random.randint(0, 999)}', - 'name': family, - 'platform': random.choice(['linux', 'windows', 'macos']), - 'type': family, - 'version': version - }, - 'pid_ns_ino': f'{random.randint(1000000, 9999999)}', - 'risk': { - 'calculated_level': random.choice(['low', 'medium', 'high']), - 'calculated_score': random.uniform(0, 100), - 'calculated_score_norm': random.uniform(0, 1), - 'static_level': random.choice(['low', 'medium', 'high']), - 'static_score': random.uniform(0, 100), - 'static_score_norm': random.uniform(0, 1) - }, - 'uptime': random.randint(0, 1000000) - } - return host - - -def generate_random_data(number): - data = [] - for _ in range(number): - event_data = { - 'agent': generate_random_agent() - } - data.append(event_data) - return data - - -def inject_events(ip, port, index, username, password, data): - url = f'https://{ip}:{port}/{index}/_doc' - session = requests.Session() - session.auth = (username, password) - session.verify = False - headers = {'Content-Type': 'application/json'} - - try: - for event_data in data: - response = session.post(url, json=event_data, headers=headers) - if response.status_code != 201: - logging.error(f'Error: {response.status_code}') - logging.error(response.text) - break - logging.info('Data injection completed successfully.') - except Exception as e: - logging.error(f'Error: {str(e)}') - - -def main(): - try: - number = int(input("How many events do you want to generate? ")) - except ValueError: - logging.error("Invalid input. Please enter a valid number.") - return - - logging.info(f"Generating {number} events...") - data = generate_random_data(number) - - with open(GENERATED_DATA_FILE, 'a') as outfile: - for event_data in data: - json.dump(event_data, outfile) - outfile.write('\n') - - logging.info('Data generation completed.') - - inject = input("Do you want to inject the generated data into your indexer? (y/n) ").strip().lower() - if inject == 'y': - ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP - port = input(f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT - index = input(f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME - username = input(f"Username (default: '{USERNAME}'): ") or USERNAME - password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD - inject_events(ip, port, index, username, password, data) - - -if __name__ == "__main__": - main() diff --git a/ecs/agent/fields/custom/agent.yml b/ecs/agent/fields/custom/agent.yml deleted file mode 100644 index 03aa894c9d385..0000000000000 --- a/ecs/agent/fields/custom/agent.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -- name: agent - title: Wazuh Agents - short: Wazuh Inc. custom fields. - type: group - group: 2 - fields: - - name: groups - type: keyword - level: custom - description: > - List of groups the agent belong to. - - name: key - type: keyword - level: custom - description: > - The registration key of the agent. - - name: last_login - type: date - level: custom - description: > - The last time the agent logged in. - - name: status - type: keyword - level: custom - description: > - Agents' interpreted connection status depending on `agent.last_login`. - allowed_values: - - name: active - description: Active agent status - - name: disconnected - description: Disconnected agent status \ No newline at end of file diff --git a/ecs/agent/fields/custom/host.yml b/ecs/agent/fields/custom/host.yml deleted file mode 100644 index 4398a5d791e6a..0000000000000 --- a/ecs/agent/fields/custom/host.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: host - reusable: - top_level: false - expected: - - agent \ No newline at end of file diff --git a/ecs/agent/fields/custom/os.yml b/ecs/agent/fields/custom/os.yml deleted file mode 100644 index 952c2d6e93a40..0000000000000 --- a/ecs/agent/fields/custom/os.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: os - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/agent/fields/custom/risk.yml b/ecs/agent/fields/custom/risk.yml deleted file mode 100644 index 1c06213bc6205..0000000000000 --- a/ecs/agent/fields/custom/risk.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: risk - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/agent/fields/mapping-settings.json b/ecs/agent/fields/mapping-settings.json deleted file mode 100644 index 0ad2b48fcc1be..0000000000000 --- a/ecs/agent/fields/mapping-settings.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "dynamic": "strict", - "date_detection": false -} \ No newline at end of file diff --git a/ecs/agent/fields/subset.yml b/ecs/agent/fields/subset.yml deleted file mode 100644 index 93442c30b420c..0000000000000 --- a/ecs/agent/fields/subset.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -name: agent -fields: - base: - fields: - tags: [] - agent: - fields: - id: {} - name: {} - type: {} - version: {} - groups: {} - key: {} - last_login: {} - status: {} - host: - fields: "*" \ No newline at end of file diff --git a/ecs/agent/fields/template-settings-legacy.json b/ecs/agent/fields/template-settings-legacy.json deleted file mode 100644 index 9f32141d95b23..0000000000000 --- a/ecs/agent/fields/template-settings-legacy.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "index_patterns": [ - "wazuh-agents*" - ], - "order": 1, - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "agent.name", - "host.os.full", - "host.ip" - ] - } - } -} diff --git a/ecs/agent/fields/template-settings.json b/ecs/agent/fields/template-settings.json deleted file mode 100644 index 610687b43595d..0000000000000 --- a/ecs/agent/fields/template-settings.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "index_patterns": [ - "wazuh-agents*" - ], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "agent.name", - "host.os.full", - "host.ip" - ] - } - } - } -} diff --git a/ecs/alerts/fields/custom/agent.yml b/ecs/alerts/fields/custom/agent.yml deleted file mode 100644 index 9feecf4e2da98..0000000000000 --- a/ecs/alerts/fields/custom/agent.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: agent - title: Wazuh Agents - short: Wazuh Inc. custom fields. - type: group - group: 2 - fields: - - name: groups - type: keyword - level: custom - description: > - List of groups the agent belong to. diff --git a/ecs/alerts/fields/custom/host.yml b/ecs/alerts/fields/custom/host.yml deleted file mode 100644 index a0356d13da657..0000000000000 --- a/ecs/alerts/fields/custom/host.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: host - reusable: - top_level: true - expected: - - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/alerts/fields/custom/os.yml b/ecs/alerts/fields/custom/os.yml deleted file mode 100644 index 952c2d6e93a40..0000000000000 --- a/ecs/alerts/fields/custom/os.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: os - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/alerts/fields/custom/risk.yml b/ecs/alerts/fields/custom/risk.yml deleted file mode 100644 index 1c06213bc6205..0000000000000 --- a/ecs/alerts/fields/custom/risk.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: risk - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/alerts/fields/mapping-settings.json b/ecs/alerts/fields/mapping-settings.json deleted file mode 100644 index f176a1c52e87f..0000000000000 --- a/ecs/alerts/fields/mapping-settings.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "dynamic": true, - "date_detection": false -} diff --git a/ecs/alerts/fields/subset.yml b/ecs/alerts/fields/subset.yml deleted file mode 100644 index 8e9508407de7f..0000000000000 --- a/ecs/alerts/fields/subset.yml +++ /dev/null @@ -1,603 +0,0 @@ ---- -name: main -fields: - base: - fields: "*" - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - as: - fields: "*" - client: - fields: - address: {} - as: - fields: "*" - bytes: {} - domain: {} - geo: - fields: "*" - ip: {} - mac: {} - nat: - fields: - ip: {} - port: {} - packets: {} - port: {} - subdomain: {} - registered_domain: {} - top_level_domain: {} - user: - fields: - domain: {} - email: {} - full_name: {} - group: - fields: "*" - hash: {} - id: {} - name: {} - roles: {} - cloud: - fields: "*" - code_signature: - fields: "*" - container: - fields: "*" - data_stream: - fields: "*" - destination: - fields: - address: {} - as: - fields: "*" - bytes: {} - domain: {} - geo: - fields: "*" - ip: {} - mac: {} - nat: - fields: - ip: {} - port: {} - packets: {} - port: {} - subdomain: {} - registered_domain: {} - top_level_domain: {} - user: - fields: - domain: {} - email: {} - full_name: {} - group: - fields: "*" - hash: {} - id: {} - name: {} - roles: {} - device: - fields: "*" - dll: - fields: "*" - dns: - fields: "*" - ecs: - fields: "*" - elf: - fields: "*" - email: - fields: "*" - error: - fields: "*" - event: - fields: "*" - faas: - fields: "*" - file: - fields: "*" - geo: - fields: "*" - group: - fields: "*" - hash: - fields: "*" - host: - fields: "*" - http: - fields: "*" - interface: - fields: "*" - log: - fields: "*" - macho: - fields: "*" - network: - fields: "*" - observer: - fields: "*" - orchestrator: - fields: "*" - organization: - fields: "*" - os: - fields: "*" - package: - fields: "*" - pe: - fields: "*" - process: - fields: - args: {} - args_count: {} - code_signature: - fields: "*" - command_line: {} - elf: - fields: "*" - end: {} - entity_id: {} - entry_leader: - fields: - args: {} - args_count: {} - command_line: {} - entity_id: {} - entry_meta: - fields: - type: {} - source: - fields: - ip: {} - executable: {} - interactive: {} - name: {} - parent: - fields: - entity_id: {} - pid: {} - vpid: {} - start: {} - session_leader: - fields: - entity_id: {} - pid: {} - vpid: {} - start: {} - pid: {} - vpid: {} - same_as_process: {} - start: {} - tty: - fields: - char_device: - fields: - major: {} - minor: {} - working_directory: {} - user: - fields: - id: {} - name: {} - real_user: - fields: - id: {} - name: {} - saved_user: - fields: - id: {} - name: {} - group: - fields: - id: {} - name: {} - real_group: - fields: - id: {} - name: {} - saved_group: - fields: - id: {} - name: {} - supplemental_groups: - fields: - id: {} - name: {} - attested_user: - fields: - id: {} - name: {} - attested_groups: - fields: - name: {} - entry_meta: - fields: - type: - docs_only: True - env_vars: {} - executable: {} - exit_code: {} - group_leader: - fields: - args: {} - args_count: {} - command_line: {} - entity_id: {} - executable: {} - interactive: {} - name: {} - pid: {} - vpid: {} - same_as_process: {} - start: {} - tty: - fields: - char_device: - fields: - major: {} - minor: {} - working_directory: {} - user: - fields: - id: {} - name: {} - real_user: - fields: - id: {} - name: {} - saved_user: - fields: - id: {} - name: {} - group: - fields: - id: {} - name: {} - real_group: - fields: - id: {} - name: {} - saved_group: - fields: - id: {} - name: {} - supplemental_groups: - fields: - id: {} - name: {} - hash: - fields: "*" - interactive: {} - io: - fields: "*" - macho: - fields: "*" - name: {} - parent: - fields: - args: {} - args_count: {} - code_signature: - fields: "*" - command_line: {} - elf: - fields: "*" - end: {} - entity_id: {} - executable: {} - exit_code: {} - group_leader: - fields: - entity_id: {} - pid: {} - vpid: {} - start: {} - hash: - fields: "*" - interactive: {} - macho: - fields: "*" - name: {} - pe: - fields: "*" - pgid: {} - pid: {} - vpid: {} - start: {} - thread: - fields: - id: {} - name: {} - capabilities: - fields: - effective: {} - permitted: {} - title: {} - tty: - fields: - char_device: - fields: - major: {} - minor: {} - uptime: {} - working_directory: {} - user: - fields: - id: {} - name: {} - real_user: - fields: - id: {} - name: {} - saved_user: - fields: - id: {} - name: {} - group: - fields: - id: {} - name: {} - real_group: - fields: - id: {} - name: {} - saved_group: - fields: - id: {} - name: {} - supplemental_groups: - fields: - id: {} - name: {} - pe: - fields: "*" - pgid: {} - pid: {} - vpid: {} - previous: - fields: - args: {} - args_count: {} - executable: {} - real_group: - fields: - id: {} - name: {} - real_user: - fields: - id: {} - name: {} - same_as_process: - docs_only: True - saved_group: - fields: - id: {} - name: {} - saved_user: - fields: - id: {} - name: {} - start: {} - supplemental_groups: - fields: - id: {} - name: {} - session_leader: - fields: - args: {} - args_count: {} - command_line: {} - entity_id: {} - executable: {} - interactive: {} - name: {} - pid: {} - vpid: {} - same_as_process: {} - start: {} - tty: - fields: - char_device: - fields: - major: {} - minor: {} - working_directory: {} - parent: - fields: - entity_id: {} - pid: {} - vpid: {} - start: {} - session_leader: - fields: - entity_id: {} - pid: {} - vpid: {} - start: {} - user: - fields: - id: {} - name: {} - real_user: - fields: - id: {} - name: {} - saved_user: - fields: - id: {} - name: {} - group: - fields: - id: {} - name: {} - real_group: - fields: - id: {} - name: {} - saved_group: - fields: - id: {} - name: {} - supplemental_groups: - fields: - id: {} - name: {} - thread: - fields: - id: {} - name: {} - capabilities: - fields: - effective: {} - permitted: {} - title: {} - tty: - fields: "*" - uptime: {} - user: - fields: - id: {} - name: {} - working_directory: {} - registry: - fields: "*" - related: - fields: "*" - risk: - fields: "*" - rule: - fields: "*" - server: - fields: - address: {} - as: - fields: "*" - bytes: {} - domain: {} - geo: - fields: "*" - ip: {} - mac: {} - nat: - fields: - ip: {} - port: {} - packets: {} - port: {} - subdomain: {} - registered_domain: {} - top_level_domain: {} - user: - fields: - domain: {} - email: {} - full_name: {} - group: - fields: "*" - hash: {} - id: {} - name: {} - roles: {} - service: - fields: "*" - source: - fields: - address: {} - as: - fields: "*" - bytes: {} - domain: {} - geo: - fields: "*" - ip: {} - mac: {} - nat: - fields: - ip: {} - port: {} - packets: {} - port: {} - subdomain: {} - registered_domain: {} - top_level_domain: {} - user: - fields: - domain: {} - email: {} - full_name: {} - group: - fields: "*" - hash: {} - id: {} - name: {} - roles: {} - threat: - fields: "*" - tls: - fields: "*" - tracing: - fields: "*" - url: - fields: "*" - user_agent: - fields: "*" - user: - fields: - changes: - fields: - domain: {} - email: {} - group: - fields: "*" - full_name: {} - hash: {} - id: {} - name: {} - roles: {} - domain: {} - effective: - fields: - domain: {} - email: {} - group: - fields: "*" - full_name: {} - hash: {} - id: {} - name: {} - roles: {} - email: {} - group: - fields: "*" - full_name: {} - hash: {} - id: {} - name: {} - risk: - fields: "*" - roles: {} - target: - fields: - domain: {} - email: {} - group: - fields: "*" - full_name: {} - hash: {} - id: {} - name: {} - roles: {} - vlan: - fields: "*" - vulnerability: - fields: "*" - x509: - fields: "*" \ No newline at end of file diff --git a/ecs/alerts/fields/template-settings-legacy.json b/ecs/alerts/fields/template-settings-legacy.json deleted file mode 100644 index 54aac2ceaf55c..0000000000000 --- a/ecs/alerts/fields/template-settings-legacy.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "index_patterns": [ - "wazuh-alerts-5.x-*" - ], - "order": 1, - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "mapping": { - "total_fields": { - "limit": 2500 - } - } - } - } -} \ No newline at end of file diff --git a/ecs/alerts/fields/template-settings.json b/ecs/alerts/fields/template-settings.json deleted file mode 100644 index 9982494c55ca2..0000000000000 --- a/ecs/alerts/fields/template-settings.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "index_patterns": [ - "wazuh-alerts-5.x-*" - ], - "priority": 1, - "template": { - "settings": { - "index": { - "mapping": { - "total_fields": { - "limit": 2500 - } - }, - "refresh_interval": "5s" - } - } - } -} \ No newline at end of file diff --git a/ecs/command/event-generator/event_generator.py b/ecs/command/event-generator/event_generator.py deleted file mode 100644 index 316f888e5745b..0000000000000 --- a/ecs/command/event-generator/event_generator.py +++ /dev/null @@ -1,165 +0,0 @@ -#!/bin/python3 - -import argparse -import datetime -import json -import logging -import random -import requests -import urllib3 -import uuid - -LOG_FILE = 'generate_data.log' -GENERATED_DATA_FILE = 'generatedData.json' -DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" -# Default values -INDEX_NAME = "wazuh-commands" -USERNAME = "admin" -PASSWORD = "admin" -IP = "127.0.0.1" -PORT = "9200" - -# Configure logging -logging.basicConfig(filename=LOG_FILE, level=logging.INFO) - -# Suppress warnings -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - - -def generate_random_date(initial_date=None, days_range=30): - if initial_date is None: - initial_date = datetime.datetime.now(datetime.timezone.utc) - random_days = random.randint(0, days_range) - new_timestamp = initial_date + datetime.timedelta(days=random_days) - return new_timestamp.strftime('%Y-%m-%dT%H:%M:%SZ') - - -def generate_random_command(include_all_fields=False): - command = { - "source": random.choice(["Users/Services", "Engine", "Content manager"]), - "user": f"user{random.randint(1, 100)}", - "target": { - "id": f"target{random.randint(1, 10)}", - "type": random.choice(["agent", "group", "server"]) - }, - "action": { - "name": random.choice(["restart", "update","change_group", "apply_policy"]), - "args": { "arg1": f"/path/to/executable/arg{random.randint(1, 10)}"}, - "version": f"v{random.randint(1, 5)}" - }, - "timeout": random.randint(10, 100) - } - if include_all_fields: - document = { - "@timestamp": generate_random_date(), - "delivery_timestamp": generate_random_date(), - "agent": {"groups": [f"group{random.randint(1, 5)}"]}, - "command": { - **command, - "status": random.choice(["pending", "sent", "success", "failure"]), - "result": { - "code": random.randint(0, 255), - "message": f"Result message {random.randint(1, 1000)}", - "data": f"Result data {random.randint(1, 100)}" - }, - "request_id": str(uuid.uuid4()), - "order_id": str(uuid.uuid4()) - } - } - return document - - return command - - -def generate_random_data(number, include_all_fields=False): - data = [] - for _ in range(number): - data.append(generate_random_command(include_all_fields)) - if not include_all_fields: - return {"commands": data} - return data - - -def inject_events(protocol, ip, port, index, username, password, data, use_index=False): - try: - if not use_index: - # Use the command-manager API - url = f'{protocol}://{ip}:{port}/_plugins/_command_manager/commands' - send_post_request(username, password, url, data) - return - for event_data in data: - # Generate UUIDs for the document id - doc_id = str(uuid.uuid4()) - url = f'{protocol}://{ip}:{port}/{index}/_doc/{doc_id}' - send_post_request(username, password, url, event_data) - logging.info('Data injection completed successfully.') - except Exception as e: - logging.error(f'Error: {str(e)}') - - -def send_post_request(username, password, url, event_data): - session = requests.Session() - session.auth = (username, password) - session.verify = False - headers = {'Content-Type': 'application/json'} - # Send request - response = session.post(url, data=json.dumps(event_data), headers=headers) - if response.status_code not in [201, 200]: - logging.error(f'Error: {response.status_code}') - logging.error(response.text) - return response - - -def main(): - parser = argparse.ArgumentParser( - description="Generate and optionally inject events into an OpenSearch index or Command Manager." - ) - parser.add_argument( - "--index", - action="store_true", - help="Generate additional fields for indexing and inject into a specific index." - ) - parser.add_argument( - "--protocol", - choices=['http', 'https'], - default='https', - help="Specify the protocol to use: http or https." - ) - args = parser.parse_args() - - try: - number = int(input("How many events do you want to generate? ")) - except ValueError: - logging.error("Invalid input. Please enter a valid number.") - return - - logging.info(f"Generating {number} events...") - data = generate_random_data(number, include_all_fields=args.index) - - with open(GENERATED_DATA_FILE, 'a') as outfile: - json.dump(data, outfile) - outfile.write('\n') - - logging.info('Data generation completed.') - - inject = input( - "Do you want to inject the generated data into your indexer/command manager? (y/n) " - ).strip().lower() - if inject == 'y': - ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP - port = input(f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT - - if args.index: - index = input(f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME - else: - index = None - - username = input(f"Username (default: '{USERNAME}'): ") or USERNAME - password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD - - inject_events(args.protocol, ip, port, index, username, password, - data, use_index=bool(args.index)) - - -if __name__ == "__main__": - main() diff --git a/ecs/command/fields/custom/agent.yml b/ecs/command/fields/custom/agent.yml deleted file mode 100644 index fd3cb2e6c41c9..0000000000000 --- a/ecs/command/fields/custom/agent.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: agent - title: Wazuh Agents - short: Wazuh Inc. custom fields. - type: group - group: 2 - fields: - - name: groups - type: keyword - level: custom - description: > - List of groups the agent belong to. \ No newline at end of file diff --git a/ecs/command/fields/custom/base.yml b/ecs/command/fields/custom/base.yml deleted file mode 100644 index a55b964085f7a..0000000000000 --- a/ecs/command/fields/custom/base.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: base - title: Wazuh base fields - root: true - fields: - - name: delivery_timestamp - type: date - level: custom - description: > - The latest date-time for the command to be delivered. Calculated as the current timestamp plus the timeout. diff --git a/ecs/command/fields/custom/command.yml b/ecs/command/fields/custom/command.yml deleted file mode 100644 index c19228d60f775..0000000000000 --- a/ecs/command/fields/custom/command.yml +++ /dev/null @@ -1,79 +0,0 @@ ---- -- name: command - title: Wazuh commands - short: Wazuh Inc. custom fields. - description: > - This index stores information about the Wazuh's commands. These commands can be sent to agents or Wazuh servers. - type: group - group: 2 - fields: - - name: source - type: keyword - level: custom - description: > - Origin of the request. - - name: user - type: keyword - level: custom - description: > - The user that originated the request. - - name: target.id - type: keyword - level: custom - description: > - Unique identifier of the destination to send the command to. - - name: target.type - type: keyword - level: custom - description: > - The destination type. One of [`group`, `agent`, `server`] - - name: action.name - type: keyword - level: custom - description: > - The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ... - - name: action.args - type: object - level: custom - description: > - Command arguments object. - - name: action.version - type: keyword - level: custom - description: > - Version of the command's schema. - - name: timeout - type: short - level: custom - description: > - Seconds in which the command has to be sent to its target. - - name: status - type: keyword - level: custom - description: > - Status within the Command Manager's context. One of ['pending', 'sent', 'success', 'failure']. - - name: result.code - type: short - level: custom - description: > - Status code returned by the target. - - name: result.message - type: keyword - level: custom - description: > - Result message returned by the target. - - name: result.data - type: keyword - level: custom - description: > - Result data returned by the target. - - name: request_id - type: keyword - level: custom - description: > - UUID generated by the Command Manager. - - name: order_id - type: keyword - level: custom - description: > - UUID generated by the Command Manager. diff --git a/ecs/command/fields/mapping-settings.json b/ecs/command/fields/mapping-settings.json deleted file mode 100644 index 4c187abd62e87..0000000000000 --- a/ecs/command/fields/mapping-settings.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "dynamic": "true", - "date_detection": false -} diff --git a/ecs/command/fields/subset.yml b/ecs/command/fields/subset.yml deleted file mode 100644 index 7c16f42fba49e..0000000000000 --- a/ecs/command/fields/subset.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -name: command -fields: - base: - fields: - tags: [] - "@timestamp": {} - "delivery_timestamp": {} - agent: - fields: - groups: {} - command: - fields: "*" diff --git a/ecs/command/fields/template-settings-legacy.json b/ecs/command/fields/template-settings-legacy.json deleted file mode 100644 index 1223dfb62db58..0000000000000 --- a/ecs/command/fields/template-settings-legacy.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "index_patterns": ["wazuh-commands*"], - "order": 1, - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "command.source", - "command.target.type", - "command.status", - "command.action.name" - ] - } - } -} diff --git a/ecs/command/fields/template-settings.json b/ecs/command/fields/template-settings.json deleted file mode 100644 index b773aee50d87c..0000000000000 --- a/ecs/command/fields/template-settings.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "index_patterns": [ - "wazuh-commands*" - ], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "command.source", - "command.target.type", - "command.status", - "command.action.name" - ] - } - } - } -} diff --git a/ecs/docs/README.md b/ecs/docs/README.md deleted file mode 100644 index a94635cbce67b..0000000000000 --- a/ecs/docs/README.md +++ /dev/null @@ -1,22 +0,0 @@ -# Wazuh Common Schema - -The Wazuh Common Schema is a derivation of the [Elastic Common Schema](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html) (ECS) providing a common data schema for the different central components of Wazuh. - -- [agent](./agent.md) -- [alerts](alerts.md) -- [command](commands.md) -- [states-fim](states-fim.md) -- [states-inventory-hardware](states-inventory-hardware.md) -- [states-inventory-hotfixes](states-inventory-hotfixes.md) -- [states-inventory-networks](states-inventory-networks.md) -- [states-inventory-packages](states-inventory-packages.md) -- [states-inventory-ports](states-inventory-ports.md) -- [states-inventory-processes](states-inventory-processes.md) -- [states-inventory-system](states-inventory-system.md) -- [states-vulnerabilities](states-vulnerabilities.md) - ---- - -### Useful resources -For more information and additional resources, please refer to the following links: -- [ECS schemas repository](https://github.com/elastic/ecs/tree/main/schemas) diff --git a/ecs/docs/agents.md b/ecs/docs/agents.md deleted file mode 100644 index 135c081fbb00a..0000000000000 --- a/ecs/docs/agents.md +++ /dev/null @@ -1,108 +0,0 @@ -## `agents` index data model - -### Fields summary - -The fields are based on https://github.com/wazuh/wazuh/issues/23396#issuecomment-2176402993 - -Based on ECS [Agent Fields](https://www.elastic.co/guide/en/ecs/current/ecs-agent.html). - -| | Field | Type | Description | Example | -| --- | -------------------- | ------- | ---------------------------------------------------------------------- | ---------------------------------- | -| | `agent.id` | keyword | Unique identifier of this agent. | `8a4f500d` | -| | `agent.name` | keyword | Custom name of the agent. | `foo` | -| \* | `agent.groups` | keyword | List of groups the agent belong to. | `["group1", "group2"]` | -| \* | `agent.key` | keyword | The registration key of the agent. | `BfDbq0PpcLl9iWatJjY1shGvuQ4KXyOR` | -| | `agent.type` | keyword | Type of agent. | `endpoint` | -| | `agent.version` | keyword | Version of the agent. | `6.0.0-rc2` | -| \* | `agent.is_connected` | boolean | Agents' interpreted connection status depending on `agent.last_login`. | | -| \* | `agent.last_login` | date | The last time the agent logged in. | `11/11/2024 00:00:00` | -| | `host.ip` | ip | Host IP addresses. Note: this field should contain an array of values. | `["192.168.56.11", "10.54.27.1"]` | -| | `host.os.full` | keyword | Operating system name, including the version or code name. | `Mac OS Mojave` | - -\* Custom field. - -### ECS mapping - -```yml ---- -name: agent -fields: - base: - fields: - tags: [] - agent: - fields: - id: {} - name: {} - type: {} - version: {} - groups: {} - key: {} - last_login: {} - is_connected: {} - host: - fields: - ip: {} - os: - fields: - full: {} -``` - -```yml ---- ---- -- name: agent - title: Wazuh Agents - short: Wazuh Inc. custom fields. - type: group - group: 2 - fields: - - name: groups - type: keyword - level: custom - description: > - The groups the agent belongs to. - - name: key - type: keyword - level: custom - description: > - The agent's registration key. - - name: last_login - type: date - level: custom - description: > - The agent's last login. - - name: is_connected - type: boolean - level: custom - description: > - Agents' interpreted connection status depending on `agent.last_login`. -``` - -### Index settings - -```json -{ - "index_patterns": ["wazuh-agents*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "agent.name", - "agent.type", - "agent.version", - "agent.name", - "host.os.full", - "host.ip" - ] - } - } - } -} -``` diff --git a/ecs/docs/alerts.md b/ecs/docs/alerts.md deleted file mode 100644 index dfe644ce40dc0..0000000000000 --- a/ecs/docs/alerts.md +++ /dev/null @@ -1,644 +0,0 @@ -## `wazuh-alerts-5.x` time series index - -Stateless index. - -### Fields summary - -For this stage, we are using all the fields of the ECS. No custom fields are used. As a result, we are using the default mapping of the ECS. - -- [ECS main mappings](https://github.com/elastic/ecs/blob/v8.11.0/schemas/subsets/main.yml) - -The generated template must match [this one](https://github.com/elastic/ecs/blob/v8.11.0/generated/elasticsearch/legacy/template.json). - -### ECS mapping - -```yml ---- -name: main -fields: - base: - fields: "*" - agent: - fields: "*" - as: - fields: "*" - client: - fields: - address: {} - as: - fields: "*" - bytes: {} - domain: {} - geo: - fields: "*" - ip: {} - mac: {} - nat: - fields: - ip: {} - port: {} - packets: {} - port: {} - subdomain: {} - registered_domain: {} - top_level_domain: {} - user: - fields: - domain: {} - email: {} - full_name: {} - group: - fields: "*" - hash: {} - id: {} - name: {} - roles: {} - cloud: - fields: "*" - code_signature: - fields: "*" - container: - fields: "*" - data_stream: - fields: "*" - destination: - fields: - address: {} - as: - fields: "*" - bytes: {} - domain: {} - geo: - fields: "*" - ip: {} - mac: {} - nat: - fields: - ip: {} - port: {} - packets: {} - port: {} - subdomain: {} - registered_domain: {} - top_level_domain: {} - user: - fields: - domain: {} - email: {} - full_name: {} - group: - fields: "*" - hash: {} - id: {} - name: {} - roles: {} - device: - fields: "*" - dll: - fields: "*" - dns: - fields: "*" - ecs: - fields: "*" - elf: - fields: "*" - email: - fields: "*" - error: - fields: "*" - event: - fields: "*" - faas: - fields: "*" - file: - fields: "*" - geo: - fields: "*" - group: - fields: "*" - hash: - fields: "*" - host: - fields: "*" - http: - fields: "*" - interface: - fields: "*" - log: - fields: "*" - macho: - fields: "*" - network: - fields: "*" - observer: - fields: "*" - orchestrator: - fields: "*" - organization: - fields: "*" - os: - fields: "*" - package: - fields: "*" - pe: - fields: "*" - process: - fields: - args: {} - args_count: {} - code_signature: - fields: "*" - command_line: {} - elf: - fields: "*" - end: {} - entity_id: {} - entry_leader: - fields: - args: {} - args_count: {} - command_line: {} - entity_id: {} - entry_meta: - fields: - type: {} - source: - fields: - ip: {} - executable: {} - interactive: {} - name: {} - parent: - fields: - entity_id: {} - pid: {} - vpid: {} - start: {} - session_leader: - fields: - entity_id: {} - pid: {} - vpid: {} - start: {} - pid: {} - vpid: {} - same_as_process: {} - start: {} - tty: - fields: - char_device: - fields: - major: {} - minor: {} - working_directory: {} - user: - fields: - id: {} - name: {} - real_user: - fields: - id: {} - name: {} - saved_user: - fields: - id: {} - name: {} - group: - fields: - id: {} - name: {} - real_group: - fields: - id: {} - name: {} - saved_group: - fields: - id: {} - name: {} - supplemental_groups: - fields: - id: {} - name: {} - attested_user: - fields: - id: {} - name: {} - attested_groups: - fields: - name: {} - entry_meta: - fields: - type: - docs_only: True - env_vars: {} - executable: {} - exit_code: {} - group_leader: - fields: - args: {} - args_count: {} - command_line: {} - entity_id: {} - executable: {} - interactive: {} - name: {} - pid: {} - vpid: {} - same_as_process: {} - start: {} - tty: - fields: - char_device: - fields: - major: {} - minor: {} - working_directory: {} - user: - fields: - id: {} - name: {} - real_user: - fields: - id: {} - name: {} - saved_user: - fields: - id: {} - name: {} - group: - fields: - id: {} - name: {} - real_group: - fields: - id: {} - name: {} - saved_group: - fields: - id: {} - name: {} - supplemental_groups: - fields: - id: {} - name: {} - hash: - fields: "*" - interactive: {} - io: - fields: "*" - macho: - fields: "*" - name: {} - parent: - fields: - args: {} - args_count: {} - code_signature: - fields: "*" - command_line: {} - elf: - fields: "*" - end: {} - entity_id: {} - executable: {} - exit_code: {} - group_leader: - fields: - entity_id: {} - pid: {} - vpid: {} - start: {} - hash: - fields: "*" - interactive: {} - macho: - fields: "*" - name: {} - pe: - fields: "*" - pgid: {} - pid: {} - vpid: {} - start: {} - thread: - fields: - id: {} - name: {} - capabilities: - fields: - effective: {} - permitted: {} - title: {} - tty: - fields: - char_device: - fields: - major: {} - minor: {} - uptime: {} - working_directory: {} - user: - fields: - id: {} - name: {} - real_user: - fields: - id: {} - name: {} - saved_user: - fields: - id: {} - name: {} - group: - fields: - id: {} - name: {} - real_group: - fields: - id: {} - name: {} - saved_group: - fields: - id: {} - name: {} - supplemental_groups: - fields: - id: {} - name: {} - pe: - fields: "*" - pgid: {} - pid: {} - vpid: {} - previous: - fields: - args: {} - args_count: {} - executable: {} - real_group: - fields: - id: {} - name: {} - real_user: - fields: - id: {} - name: {} - same_as_process: - docs_only: True - saved_group: - fields: - id: {} - name: {} - saved_user: - fields: - id: {} - name: {} - start: {} - supplemental_groups: - fields: - id: {} - name: {} - session_leader: - fields: - args: {} - args_count: {} - command_line: {} - entity_id: {} - executable: {} - interactive: {} - name: {} - pid: {} - vpid: {} - same_as_process: {} - start: {} - tty: - fields: - char_device: - fields: - major: {} - minor: {} - working_directory: {} - parent: - fields: - entity_id: {} - pid: {} - vpid: {} - start: {} - session_leader: - fields: - entity_id: {} - pid: {} - vpid: {} - start: {} - user: - fields: - id: {} - name: {} - real_user: - fields: - id: {} - name: {} - saved_user: - fields: - id: {} - name: {} - group: - fields: - id: {} - name: {} - real_group: - fields: - id: {} - name: {} - saved_group: - fields: - id: {} - name: {} - supplemental_groups: - fields: - id: {} - name: {} - thread: - fields: - id: {} - name: {} - capabilities: - fields: - effective: {} - permitted: {} - title: {} - tty: - fields: "*" - uptime: {} - user: - fields: - id: {} - name: {} - working_directory: {} - registry: - fields: "*" - related: - fields: "*" - risk: - fields: "*" - rule: - fields: "*" - server: - fields: - address: {} - as: - fields: "*" - bytes: {} - domain: {} - geo: - fields: "*" - ip: {} - mac: {} - nat: - fields: - ip: {} - port: {} - packets: {} - port: {} - subdomain: {} - registered_domain: {} - top_level_domain: {} - user: - fields: - domain: {} - email: {} - full_name: {} - group: - fields: "*" - hash: {} - id: {} - name: {} - roles: {} - service: - fields: "*" - source: - fields: - address: {} - as: - fields: "*" - bytes: {} - domain: {} - geo: - fields: "*" - ip: {} - mac: {} - nat: - fields: - ip: {} - port: {} - packets: {} - port: {} - subdomain: {} - registered_domain: {} - top_level_domain: {} - user: - fields: - domain: {} - email: {} - full_name: {} - group: - fields: "*" - hash: {} - id: {} - name: {} - roles: {} - threat: - fields: "*" - tls: - fields: "*" - tracing: - fields: "*" - url: - fields: "*" - user_agent: - fields: "*" - user: - fields: - changes: - fields: - domain: {} - email: {} - group: - fields: "*" - full_name: {} - hash: {} - id: {} - name: {} - roles: {} - domain: {} - effective: - fields: - domain: {} - email: {} - group: - fields: "*" - full_name: {} - hash: {} - id: {} - name: {} - roles: {} - email: {} - group: - fields: "*" - full_name: {} - hash: {} - id: {} - name: {} - risk: - fields: "*" - roles: {} - target: - fields: - domain: {} - email: {} - group: - fields: "*" - full_name: {} - hash: {} - id: {} - name: {} - roles: {} - vlan: - fields: "*" - vulnerability: - fields: "*" - x509: - fields: "*" -``` - -### Template settings - -```json -{ - "index_patterns": [ - "wazuh-alerts-5.x-*" - ], - "priority": 1, - "template": { - "settings": { - "index": { - "mapping": { - "total_fields": { - "limit": 2500 - } - }, - "refresh_interval": "5s" - } - } - } -} -``` - -### Mapping settings - -```json -{ - "dynamic": true, - "date_detection": false -} -``` diff --git a/ecs/docs/commands.md b/ecs/docs/commands.md deleted file mode 100644 index 5cd6d34eed49a..0000000000000 --- a/ecs/docs/commands.md +++ /dev/null @@ -1,168 +0,0 @@ -## `commands` index data model - -> [!NOTE] -> rev 0.1 - September 18th, 2024: Add initial model. -> rev 0.2 - September 30th, 2024: Change type of `request_id`, `order_id` and `id` to keyword. -> rev 0.3 - October 3rd, 2024: Change descriptions for `command.type`, `command.action.type`, `command.request_id`, `command.order_id`. -> rev 0.4 - October 9th, 2024: Apply changes described in https://github.com/wazuh/wazuh-indexer-plugins/issues/96#issue-2576028654. -> rev 0.5 - December 3rd, 2024: Added `@timestamp` and `delivery_timestamp` date fields. -> rev 0.6 - January 24th, 2025: Rename index to `wazuh-commands`. The index is now visible to users. - -### Fields summary - -This index stores information about the commands executed by the agents. The index appears in 5.0.0 for the first time. - -| | Field | Type | Description | -| --- | ------------------------ | ------- | ----------------------------------------------------------------------------------------------------------------------------------- | -| \* | `agent.groups` | keyword | List of groups the agent belong to. | -| \* | `command.source` | keyword | Origin of the request. One of [`Users/Services` (via Management API), `Engine` (via Management API), `Content manager` (directly)]. | -| \* | `command.user` | keyword | The user that originated the request. This user may represent a Management API or Indexer API user depending on the source. | -| \* | `command.target.id` | keyword | Unique identifier of the destination to send the command to. | -| \* | `command.target.type` | keyword | The destination type. One of [`group`, `agent`, `server`], | -| \* | `command.action.name` | keyword | The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ... | -| \* | `command.action.args` | object | Command arguments. The Object type allows for ad-hoc format of the value. | -| \* | `command.action.version` | keyword | Version of the command's schema. | -| \* | `command.timeout` | short | Time window in which the command has to be sent to its target. | -| \* | `command.status` | keyword | Status within the Command Manager's context. One of [`pending`, `sent`, `success`, `failure`]. | -| \* | `command.result.code` | short | Status code returned by the target. | -| \* | `command.result.message` | keyword | Result message returned by the target. | -| \* | `command.result.data` | keyword | Result data returned by the target. | -| \* | `command.request_id` | keyword | UUID generated by the Command Manager. | -| \* | `command.order_id` | keyword | UUID generated by the Command Manager. | - -\* Custom field. - -### ECS mapping - -```yml ---- -name: command -fields: - base: - fields: - tags: [] - "@timestamp": {} - "delivery_timestamp": {} - agent: - fields: - groups: {} - command: - fields: "*" -``` - -```yml ---- -- name: command - title: Wazuh commands - short: Wazuh Inc. custom fields. - description: > - This index stores information about the Wazuh's commands. These commands can be sent to agents or Wazuh servers. - type: group - group: 2 - fields: - - name: source - type: keyword - level: custom - description: > - Origin of the request. - - name: user - type: keyword - level: custom - description: > - The user that originated the request. - - name: target.id - type: keyword - level: custom - description: > - Unique identifier of the destination to send the command to. - - name: target.type - type: keyword - level: custom - description: > - The destination type. One of [`group`, `agent`, `server`] - - name: action.name - type: keyword - level: custom - description: > - The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ... - - name: action.args - type: keyword - level: custom - description: > - Array of command arguments, starting with the absolute path to the executable. - - name: action.version - type: keyword - level: custom - description: > - Version of the command's schema. - - name: timeout - type: short - level: custom - description: > - Time window in which the command has to be sent to its target. - - name: status - type: keyword - level: custom - description: > - Status within the Command Manager's context. One of ['pending', 'sent', 'success', 'failure']. - - name: result.code - type: short - level: custom - description: > - Status code returned by the target. - - name: result.message - type: keyword - level: custom - description: > - Result message returned by the target. - - name: result.data - type: keyword - level: custom - description: > - Result data returned by the target. - - name: request_id - type: keyword - level: custom - description: > - UUID generated by the Command Manager. - - name: order_id - type: keyword - level: custom - description: > - UUID generated by the Command Manager. -``` -```yml -- name: base - title: Wazuh base fields - root: true - fields: - - name: delivery_timestamp - type: date - level: custom - description: > - The latest date-time for the command to be delivered. Calculated as the current timestamp plus the timeout. -``` - -### Index settings - -```json -{ - "index_patterns": ["wazuh-commands*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "command.source", - "command.target.type", - "command.status", - "command.action.name" - ] - } - } - } -} -``` diff --git a/ecs/docs/inventory-hardware.md b/ecs/docs/inventory-hardware.md deleted file mode 100644 index 29c9f103e3f55..0000000000000 --- a/ecs/docs/inventory-hardware.md +++ /dev/null @@ -1,81 +0,0 @@ -## `wazuh-states-inventory-hardware` index data model - -### Fields summary - -The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 - -Based on ECS: - -- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). -- [Observer Fields](https://www.elastic.co/guide/en/ecs/current/ecs-observer.html). - -| | Field name | Data type | Description | Example | -| --- | ----------------------------- | --------- | ------------------------------------ | -------------------------- | -| | `agent.*` | object | All the agent fields. | ` | -| | `@timestamp` | date | Date/time when the event originated. | `2016-05-23T08:05:34.853Z` | -| | `observer.serial_number` | keyword | Observer serial number. | | -| \* | `host.cpu.name` | keyword | Name of the CPU | | -| \* | `host.cpu.cores` | long | Number of CPU cores | | -| \* | `host.cpu.speed` | long | Speed of the CPU in MHz | | -| \* | `host.memory.total` | long | Total RAM in the system | | -| \* | `host.memory.free` | long | Free RAM in the system | | -| \* | `host.memory.used.percentage` | long | RAM usage as a percentage | | - -\* Custom fields - -### ECS mapping - -```yml ---- -name: wazuh-states-inventory-hardware -fields: - base: - fields: - tags: [] - "@timestamp": {} - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - observer: - fields: - serial_number: {} - host: - fields: - memory: - fields: - total: {} - free: {} - used: - fields: - percentage: {} - cpu: - fields: - name: {} - cores: {} - speed: {} -``` - -### Index settings - -```json -{ - "index_patterns": ["wazuh-states-inventory-hardware*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": ["observer.board_serial"] - } - } - } -} -``` diff --git a/ecs/docs/inventory-hotfixes.md b/ecs/docs/inventory-hotfixes.md deleted file mode 100644 index 23ddbf8855fd3..0000000000000 --- a/ecs/docs/inventory-hotfixes.md +++ /dev/null @@ -1,66 +0,0 @@ -## `wazuh-states-inventory-hotfixes` index data model - -### Fields summary - -The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 - -Based on ECS: - -- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). - -| | Field name | Data type | Description | Example | -| --- | --------------------- | --------- | --------------------- | -------------------------- | -| | `agent.*` | object | All the agent fields. | ` | -| | `@timestamp` | date | Timestamp of the scan | `2016-05-23T08:05:34.853Z` | -| \* | `package.hotfix.name` | keyword | Name of the hotfix | | - -\* Custom fields - -### ECS mapping - -```yml ---- -name: wazuh-states-inventory-hotfixes -fields: - base: - fields: - tags: [] - "@timestamp": {} - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - package: - fields: - hotfix: - fields: - name: {} -``` - -### Index settings - -```json -{ - "index_patterns": [ - "wazuh-states-inventory-hotfixes*" - ], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "package.hotfix.name" - ] - } - } - } -} -``` diff --git a/ecs/docs/inventory-networks.md b/ecs/docs/inventory-networks.md deleted file mode 100644 index 9a565348e1f05..0000000000000 --- a/ecs/docs/inventory-networks.md +++ /dev/null @@ -1,116 +0,0 @@ -## `wazuh-states-inventory-networks` index data model - -### Fields summary - -The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 - -Based on ECS: - -- [Observer Fields](https://www.elastic.co/guide/en/ecs/current/ecs-observer.html). -- [Interface Fields](https://www.elastic.co/guide/en/ecs/current/ecs-interface.html). -- [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html). - -| | Field name | Data type | Description | Example | -| --- | ---------------------------------- | --------- | ------------------------------------------------------------------------------ | -------------------------------------- | -| | `agent.*` | object | All the agent fields. | ` | -| | `@timestamp` | date | Date/time when the event originated. | `2016-05-23T08:05:34.853Z` | -| | `device.id` | keyword | The unique identifier of a device. | `00000000-54b3-e7c7-0000-000046bffd97` | -| | `host.ip` | ip | Host IP addresses. Note: this field should contain an array of values. | `["192.168.56.11", "10.54.27.1"]` | -| | `host.mac` | keyword | Host MAC addresses. | | -| | `host.network.egress.bytes` | long | The number of bytes sent on all network interfaces. | | -| | `host.network.egress.packets` | long | The number of packets sent on all network interfaces. | | -| | `host.network.ingress.bytes` | long | The number of bytes received on all network interfaces. | | -| | `host.network.ingress.packets` | long | The number of packets received on all network interfaces. | | -| | `network.protocol` | keyword | Application protocol name. | `http` | -| | `network.type` | keyword | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc. | `ipv4` | -| | `observer.ingress.interface.alias` | keyword | Interface alias. | `outside` | -| | `observer.ingress.interface.name` | keyword | Interface name. | `eth0` | -| \* | `host.network.egress.drops` | long | Number of dropped transmitted packets. | | -| \* | `host.network.egress.errors` | long | Number of transmission errors. | | -| \* | `host.network.ingress.drops` | long | Number of dropped received packets. | | -| \* | `host.network.ingress.errors` | long | Number of reception errors. | | -| \* | `interface.mtu` | long | Maximum transmission unit size. | | -| \* | `interface.state` | keyword | State of the network interface. | | -| \* | `interface.type` | keyword | Interface type (eg. "wireless" or "ethernet"). | | -| \* | `network.broadcast` | ip | Broadcast address. | | -| \* | `network.dhcp` | keyword | DHCP status (enabled, disabled, unknown, BOOTP). | | -| \* | `network.gateway` | ip | Gateway address. | | -| \* | `network.metric` | long | Metric of the network protocol. | | -| \* | `network.netmask` | ip | Network mask. | | - -\* Custom fields - -### ECS mapping - -```yml ---- -name: wazuh-states-inventory-networks -fields: - base: - fields: - tags: [] - "@timestamp": {} - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - host: - fields: "*" - interface: - fields: - mtu: {} - state: {} - type: {} - network: - fields: - broadcast: {} - dhcp: {} - gateway: {} - metric: {} - netmask: {} - protocol: {} - type: {} - observer: - fields: - ingress: - fields: - interface: - fields: - alias: {} - name: {} -``` - -### Index settings - -```json -{ - "index_patterns": [ - "wazuh-states-inventory-networks*" - ], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "device.id", - "event.id", - "host.ip", - "observer.ingress.interface.name", - "observer.ingress.interface.alias", - "process.name" - ] - } - } - } -} -``` diff --git a/ecs/docs/inventory-packages.md b/ecs/docs/inventory-packages.md deleted file mode 100644 index a40ba21b98631..0000000000000 --- a/ecs/docs/inventory-packages.md +++ /dev/null @@ -1,95 +0,0 @@ -## `wazuh-states-inventory-packages` index data model - -### Fields summary - -The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 - -Based on ECS: - -- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). - -| | Field name | Data type | Description | Example | -| --- | ---------------------- | --------- | ------------------------------------ | ------- | -| | `agent.*` | object | All the agent fields. | ` | -| | `@timestamp` | date | Timestamp of the scan. | | -| | `package.architecture` | keyword | Package architecture. | | -| | `package.description` | keyword | Description of the package. | | -| | `package.installed` | date | Time when package was installed. | | -| | `package.name` | keyword | Package name. | | -| | `package.path` | keyword | Path where the package is installed. | | -| | `package.size` | long | Package size in bytes. | | -| | `package.type` | keyword | Package type. | | -| | `package.version` | keyword | Package version. | | - -\* Custom field - -
Fields not included in ECS -

- -| | Field name | ECS field name | Data type | Description | -| --- | ---------- | ----------------- | --------- | ------------------------------------------------------------------------------ | -| ? | priority | | | Priority of the program | -| ? | section | | | Section of the program category the package belongs to in DEB package managers | -| X | vendor | package.reference | keyword | Home page or reference URL of the software in this package, if available. | -| ? | multiarch | | | Multi-architecture compatibility | -| X | source | | | Source of the program - package manager | - -

-
- -### ECS mapping - -```yml ---- -name: wazuh-states-inventory-packages -fields: - base: - fields: - "@timestamp": {} - tags: [] - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - package: - fields: - architecture: "" - description: "" - installed: {} - name: "" - path: "" - size: {} - type: "" - version: "" -``` - -### Index settings - -```json -{ - "index_patterns": ["wazuh-states-inventory-packages*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "package.architecture", - "package.name", - "package.version", - "package.type" - ] - } - } - } -} -``` diff --git a/ecs/docs/inventory-ports.md b/ecs/docs/inventory-ports.md deleted file mode 100644 index ae576b9cc90a4..0000000000000 --- a/ecs/docs/inventory-ports.md +++ /dev/null @@ -1,112 +0,0 @@ -## `wazuh-states-inventory-ports` index data model - -### Fields summary - -The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 - -Based on ECS: - -- [Interface Fields](https://www.elastic.co/guide/en/ecs/current/ecs-interface.html). -- [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html). -- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). - -| | Field name | Data type | Description | Example | -| --- | ---------------------------- | --------- | ---------------------------------------------- | -------------------------------------- | -| | `agent.*` | object | All the agent fields. | ` | -| | `@timestamp` | date | Timestamp of the scan. | `2016-05-23T08:05:34.853Z` | -| | `destination.ip` | ip | IP address of the destination. | `["192.168.0.100"]` | -| | `destination.port` | long | Port of the destination. | | -| | `device.id` | keyword | The unique identifier of a device. | `00000000-54b3-e7c7-0000-000046bffd97` | -| | `file.inode` | keyword | Inode representing the file in the filesystem. | `256383` | -| | `network.protocol` | keyword | Application protocol name. | `http` | -| | `process.name` | keyword | Process name. | `ssh` | -| | `process.pid` | long | Process ID. | `4242` | -| | `source.ip` | ip | IP address of the source. | `["192.168.0.100"]` | -| | `source.port` | long | Port of the source. | | -| \* | `host.network.egress.queue` | long | Transmit queue length. | | -| \* | `host.network.ingress.queue` | long | Receive queue length. | | -| \* | `interface.state` | keyword | State of the network interface. | | - -\* Custom fields - -### ECS mapping - -```yml ---- -name: wazuh-states-inventory-ports -fields: - base: - fields: - tags: [] - "@timestamp": {} - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - destination: - fields: - ip: {} - port: {} - device: - fields: - id: {} - file: - fields: - inode: {} - host: - fields: - network: - fields: - egress: - fields: - queue: {} - ingress: - fields: - queue: {} - network: - fields: - protocol: {} - process: - fields: - name: {} - pid: {} - source: - fields: - ip: {} - port: {} - interface: - fields: - state: {} -``` - -### Index settings - -```json -{ - "index_patterns": [ - "wazuh-states-inventory-ports*" - ], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "process.name", - "source.ip", - "destination.ip" - ] - } - } - } -} -``` diff --git a/ecs/docs/inventory-processes.md b/ecs/docs/inventory-processes.md deleted file mode 100644 index 4f3451746aaed..0000000000000 --- a/ecs/docs/inventory-processes.md +++ /dev/null @@ -1,138 +0,0 @@ -## `wazuh-states-inventory-processes` index data model - -### Fields summary - -The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 - -Based on ECS: - -- [Process Fields](https://www.elastic.co/guide/en/ecs/current/ecs-process.html). - -| | Field name | Data type | Description | Examples | Comments | -|----|---------------------------------| --------- | ---------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------- | -| | `agent.*` | object | All the agent fields. | ` | -| | `@timestamp` | date | Date/time when the event originated. | `2016-05-23T08:05:34.853Z` | | -| | `process.args` | keyword | Array of process arguments. | `["/usr/bin/ssh", "-l", "user", "10.0.0.16"]` | | -| | `process.command_line` | wildcard | process.command_line. | `/usr/bin/ssh -l user 10.0.0.16` | | -| | `process.name` | keyword | Process name. | `ssh` | | -| | `process.parent.pid` | long | Parent process ID. | `4242` | | -| | `process.pid` | long | Process ID. | `4242` | | -| | `process.real_group.id` | keyword | Unique identifier for the group on the system/platform. | | | -| | `process.real_user.id` | keyword | Unique identifier of the user. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | | -| | `process.saved_group.id` | keyword | Unique identifier for the group on the system/platform. | | | -| | `process.saved_user.id` | keyword | Unique identifier of the user. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | | -| | `process.start` | date | The time the process started. | `2016-05-23T08:05:34.853Z` | | -| | `process.user.id` | keyword | Unique identifier of the user. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | | -| ! | `process.thread.id` | long | Thread ID. | | `thread.group` is **not part of ECS;** but `thread.id` is. | -| | `process.tty.char_device.major` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | | Needs clarification | -| \* | `process.group.id` | keyword | Unique identifier for the effective group on the system/platform. | | | - -\* Custom field - -!: Fields awaiting analysis - -
Fields not included in ECS -

- -| | Field name | ECS field name | Data type | Description | Example | Comments | -| --- | ---------- | ------------------------- | ------------------ | ---------------------------------------------------------------------------------------------------- | ------- | ---------------------------------------------------------- | -| x | state | `process.state` | **No ECS mapping** | State of the process | | **Not part of ECS;** Maybe as a custom field. | -| x | utime | `process.cpu.user` | **No ECS mapping** | User mode CPU time | | **Not part of ECS;** Maybe as a custom field. | -| x | stime | `process.cpu.system` | **No ECS mapping** | Kernel mode CPU time | | **Not part of ECS;** Maybe as a custom field. | -| x? | fgroup | `process.group.file.id` | **No ECS mapping** | unknown | | | -| x | priority | `process.priority` | **No ECS mapping** | Process priority | | **Not part of ECS;** Maybe as a custom field. | -| x | nice | `process.nice` | **No ECS mapping** | Nice value | | **Not part of ECS;** Maybe as a custom field. | -| x | size | `process.size` | **No ECS mapping** | Process size | | **Not part of ECS;** Maybe as a custom field. | -| x | vm_size | `process.vm.size` | **No ECS mapping** | Virtual memory size | | **Not part of ECS;** Maybe as a custom field. | -| x | resident | `process.memory.resident` | **No ECS mapping** | Resident set size | | **Not part of ECS;** Maybe as a custom field. | -| x | share | `process.memory.share` | **No ECS mapping** | Shared memory size | | **Not part of ECS;** Maybe as a custom field. | -| ! | pgrp | `process.group.id` | keyword | Process group | | Isn't it duplicated ?? | -| x | session | `process.session` | **No ECS mapping** | Session ID | | **Not part of ECS;** Needs clarification. | -| x | nlwp | `process.nlwp` | **No ECS mapping** | Number of light-weight processes | | **Not part of ECS;** Needs clarification. | -| ! | tgid | `process.thread.id` | **No ECS mapping** | Thread ID ID | | `thread.group` is **not part of ECS;** but `thread.id` is. | -| x | processor | `host.cpu.processor` | **No ECS mapping** | Processor number | | No ECS field refers to the core number of the CPU. | - -

-
- -### ECS mapping - -```yml ---- -name: wazuh-states-inventory-processes -fields: - base: - fields: - "@timestamp": {} - tags: [] - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - process: - fields: - pid: {} - name: "" - parent: - fields: - pid: {} - command_line: "" - args: "" - user: - fields: - id: "" - real_user: - fields: - id: "" - saved_user: - fields: - id: "" - group: - fields: - id: "" - real_group: - fields: - id: "" - saved_group: - fields: - id: "" - start: {} - thread: - fields: - id: "" - tty: - fields: - char_device: - fields: - major: "" -``` - -### Index settings - -```json -{ - "index_patterns": ["wazuh-states-inventory-processes*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "process.name", - "process.pid", - "process.command_line" - ] - } - } - } -} -``` diff --git a/ecs/docs/inventory-system.md b/ecs/docs/inventory-system.md deleted file mode 100644 index 42dcec74368c5..0000000000000 --- a/ecs/docs/inventory-system.md +++ /dev/null @@ -1,98 +0,0 @@ -## `wazuh-states-inventory-system` index data model - -### Fields summary - -The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 - -Based on ECS: - -- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). -- [Operating System Fields](https://www.elastic.co/guide/en/ecs/current/ecs-os.html). - -| | Field name | Data type | Description | Example | -| --- | ------------------- | --------- | ---------------------------------------------------------- | -------------------------- | -| | `agent.*` | object | All the agent fields. | ` | -| | `@timestamp` | date | Date/time when the event originated. | `2016-05-23T08:05:34.853Z` | -| | `host.architecture` | keyword | Operating system architecture. | `x86_64` | -| | `host.hostname` | keyword | Hostname of the host. | | -| | `host.os.full` | keyword | Operating system name, including the version or code name. | `Mac OS Mojave` | -| | `host.os.kernel` | keyword | Operating system kernel version as a raw string. | `4.4.0-112-generic` | -| | `host.os.name` | keyword | Operating system name, without the version. | `Mac OS X` | -| | `host.os.platform` | keyword | Operating system platform (such centos, ubuntu, windows). | `darwin` | -| | `host.os.type` | keyword | [linux, macos, unix, windows, ios, android] | `macos` | -| | `host.os.version` | keyword | Operating system version as a raw string. | `10.14.1` | - -\* Custom field - -
Details -

- -Removed fields: - -- os_display_version -- os_major (can be extracted from os_version) -- os_minor (can be extracted from os_version) -- os_patch (can be extracted from os_version) -- os_release -- reference -- release -- scan_id -- sysname -- version -- checksum - -Available fields: - -- `os.family` -- `hots.name` - -

-
- -### ECS mapping - -```yml ---- -name: wazuh-states-inventory-system -fields: - base: - fields: - tags: [] - "@timestamp": {} - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - host: - fields: "*" -``` - -### Index settings - -```json -{ - "index_patterns": ["wazuh-states-inventory-system*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "host.name", - "host.os.type", - "host.os.version" - ] - } - } - } -} -``` diff --git a/ecs/docs/states-fim.md b/ecs/docs/states-fim.md deleted file mode 100644 index 380c71c8d0495..0000000000000 --- a/ecs/docs/states-fim.md +++ /dev/null @@ -1,106 +0,0 @@ -## `wazuh-states-fim` index data model - -### Fields summary - -The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189377542 - -Based on ECS: - -- [File Fields](https://www.elastic.co/guide/en/ecs/current/ecs-file.html). -- [Registry Fields](https://www.elastic.co/guide/en/ecs/current/ecs-registry.html). - -| | Field | Type | Description | Example | -| --- | ------------------ | ------- | ----------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | -| | `agent.*` | object | All the agent fields. | ` | -| | `file.attributes` | keyword | Array of file attributes. | `["readonly", "system"]` | -| | `file.gid` | keyword | Primary group ID (GID) of the file. | `1001` | -| | `file.group` | keyword | Primary group name of the file. | `alice` | -| | `file.inode` | keyword | Inode representing the file in the filesystem. | `256383` | -| | `file.name` | keyword | Name of the file including the extension, without the directory. | `example.png` | -| | `file.mode` | keyword | File permissions in octal mode. | `0640` | -| | `file.mtime` | date | Last time the file's metadata changed. | | -| | `file.owner` | keyword | File owner’s username. | | -| | `file.path` | keyword | Full path to the file, including the file name. It should include the drive letter, when appropriate. | `/home/alice/example.png` | -| | `file.size` | long | File size in bytes. | `16384` | -| | `file.target_path` | keyword | Target path for symlinks. | | -| | `file.type` | keyword | File type (file, dir, or symlink). | `file` | -| | `file.uid` | keyword | User ID (UID) of the file owner. | `1001` | -| | `file.hash.md5` | keyword | MD5 hash of the file. | | -| | `file.hash.sha1` | keyword | SHA1 hash of the file. | | -| | `file.hash.sha256` | keyword | SHA256 hash of the file. | | -| | `registry.key` | keyword | Hive-relative path of keys. | `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe` | -| | `registry.value` | keyword | Name of the value written. | `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger` | - -\* Custom field. - -### ECS mapping - -```yml ---- -name: wazuh-states-fim -fields: - base: - fields: - tags: [] - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - file: - fields: - attributes: {} - name: {} - path: {} - gid: {} - group: {} - inode: {} - hash: - fields: - md5: {} - sha1: {} - sha256: {} - mtime: {} - mode: {} - size: {} - target_path: {} - type: {} - uid: {} - owner: {} - registry: - fields: - key: {} - value: {} -``` - -### Index settings - -```json -{ - "index_patterns": ["wazuh-states-fim*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "file.name", - "file.path", - "file.target_path", - "file.group", - "file.uid", - "file.gid" - ] - } - } - } -} -``` diff --git a/ecs/docs/states-vulnerability.md b/ecs/docs/states-vulnerability.md deleted file mode 100644 index fd560c1134b30..0000000000000 --- a/ecs/docs/states-vulnerability.md +++ /dev/null @@ -1,169 +0,0 @@ -## `wazuh-states-vulnerabilities` index data model - -### Fields summary - -The fields are based on https://github.com/wazuh/wazuh-indexer/blob/4.9.0/ecs/vulnerability-detector - -Based on ECS: - -- [Agent Fields](https://www.elastic.co/guide/en/ecs/current/ecs-agent.html). -- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). -- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). -- [Vulnerability Fields](https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html). - -| | Field | Type | Description | -| --- | ----------------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | -| | `agent.*` | object | All the `agent` fields. | ` | -| | `host.*` | object | All the `host` fields. | -| | `package.architecture` | keyword | Package architecture. | -| | `package.build_version` | keyword | Additional information about the build version of the installed package. | -| | `package.checksum` | keyword | Checksum of the installed package for verification. | -| | `package.description` | keyword | Description of the package. | -| | `package.install_scope` | keyword | Indicating how the package was installed, e.g. user-local, global. | -| | `package.installed` | date | Time when package was installed. | -| | `package.license` | keyword | License under which the package was released. | -| | `package.name` | keyword | Package name | -| | `package.path` | keyword | Path where the package is installed. | -| | `package.reference` | keyword | Home page or reference URL of the software in this package, if available. | -| | `package.size` | long | Package size in bytes. | -| | `package.type` | keyword | Type of package. | -| | `package.version` | keyword | Package version | -| | `vulnerability.category` | keyword | The type of system or architecture that the vulnerability affects | -| | `vulnerability.classification` | keyword | The classification of the vulnerability scoring system. | -| | `vulnerability.description` | keyword | The description of the vulnerability that provides additional context of the vulnerability | -| \* | `vulnerability.detected_at` | date | Vulnerability's detection date. | -| | `vulnerability.enumeration` | keyword | The type of identifier used for this vulnerability. | -| | `vulnerability.id` | keyword | The identification (ID) is the number portion of a vulnerability entry. | -| \* | `vulnerability.published_at` | date | Vulnerability's publication date. | -| | `vulnerability.reference` | keyword | A resource that provides additional information, context, and mitigations for the identified vulnerability. | -| | `vulnerability.report_id` | keyword | The report or scan identification number. | -| \* | `vulnerability.scanner.source` | keyword | The origin of the decision of the scanner (AKA feed used to detect the vulnerability). | -| | `vulnerability.scanner.vendor` | keyword | The name of the vulnerability scanner vendor. | -| | `vulnerability.score.base` | float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. | -| | `vulnerability.score.environmental` | float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. | -| | `vulnerability.score.temporal` | float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. | -| | `vulnerability.score.version` | keyword | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. | -| | `vulnerability.severity` | keyword | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. | -| \* | `vulnerability.under_evaluation` | boolean | Indicates if the vulnerability is awaiting analysis by the NVD. | -| \* | `wazuh.cluster.name` | keyword | Name of the Wazuh cluster. | -| \* | `wazuh.cluster.node` | keyword | Name of the Wazuh cluster node. | -| \* | `wazuh.schema.version` | keyword | Version of the Wazuh schema. | - -\* Custom field. - -### ECS mapping - -```yml ---- -name: wazuh-states-vulnerabilities -fields: - base: - fields: - tags: [] - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - package: - fields: "*" - host: - fields: "*" - vulnerability: - fields: "*" - wazuh: - fields: "*" - -``` - -```yml ---- -- name: vulnerability - title: Vulnerability - group: 2 - short: Fields to describe the vulnerability relevant to an event. - description: > - The vulnerability fields describe information about a vulnerability that is - relevant to an event. - type: group - fields: - - name: detected_at - type: date - level: custom - description: > - Vulnerability's detection date. - - name: published_at - type: date - level: custom - description: > - Vulnerability's publication date. - - name: under_evaluation - type: boolean - level: custom - description: > - Indicates if the vulnerability is awaiting analysis by the NVD. - - name: scanner.source - type: keyword - level: custom - description: > - The origin of the decision of the scanner (AKA feed used to detect the vulnerability). -``` - -```yml ---- ---- -- name: wazuh - title: Wazuh - description: > - Wazuh Inc. custom fields - fields: - - name: cluster.name - type: keyword - level: custom - description: > - Wazuh cluster name. - - name: cluster.node - type: keyword - level: custom - description: > - Wazuh cluster node name. - - name: schema.version - type: keyword - level: custom - description: > - Wazuh schema version. -``` - -### Index settings - -```json -{ - "index_patterns": ["wazuh-states-vulnerabilities*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "host.os.full", - "host.os.version", - "package.name", - "package.version", - "vulnerability.id", - "vulnerability.description", - "vulnerability.severity", - "wazuh.cluster.name" - ] - } - } - } -} -``` diff --git a/ecs/generator/images/Dockerfile b/ecs/generator/images/Dockerfile deleted file mode 100644 index 357a2baa73ec8..0000000000000 --- a/ecs/generator/images/Dockerfile +++ /dev/null @@ -1,33 +0,0 @@ -FROM python:3.10 - -# Define the version as a build argument -ARG ECS_VERSION=v8.11.0 - -# Update the package list and upgrade all packages -RUN apt-get update && \ - apt-get upgrade -y && \ - # Install dependencies - apt-get install -y git jq && \ - # Cleanup - apt-get clean && \ - rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \ - # Clone elastic ECS repository and install required Python libraries - git clone https://github.com/elastic/ecs.git -b ${ECS_VERSION} --depth 1 && \ - pip install -r ecs/scripts/requirements.txt && \ - # Create the directory for the ecs definitions (this will be used as a volume) - mkdir -p /source/ecs - -# Ensure the generator.sh script is in the correct location -ADD ecs/generator/images/generator.sh /ecs/generator.sh - -# Define the directory as a volume to allow for external mounting -VOLUME /source/ecs - -# Ensure the generator.sh script is executable -RUN chmod +x /ecs/generator.sh - -# Set the working directory to the ECS repository -WORKDIR /ecs - -# Define the entry point for the container to execute the generator.sh script -ENTRYPOINT ["/bin/bash", "/ecs/generator.sh"] diff --git a/ecs/generator/images/generator.sh b/ecs/generator/images/generator.sh deleted file mode 100755 index 2b6b3c05f0068..0000000000000 --- a/ecs/generator/images/generator.sh +++ /dev/null @@ -1,103 +0,0 @@ -#!/bin/bash - -set -euo pipefail - -# SPDX-License-Identifier: Apache-2.0 -# The OpenSearch Contributors require contributions made to -# this file be licensed under the Apache-2.0 license or a -# compatible open source license. - -# Default values -ECS_VERSION="${ECS_VERSION:-v8.11.0}" -ECS_SOURCE="${ECS_SOURCE:-/source}" - -# Function to display usage information -show_usage() { - echo "Usage: $0" - echo "Environment Variables:" - echo " * ECS_MODULE: Module to generate mappings for" - echo " * ECS_VERSION: (Optional) ECS version to generate mappings for (default: v8.11.0)" - echo " * ECS_SOURCE: (Optional) Path to the wazuh-indexer repository (default: /source)" - echo "Example: docker run -e ECS_MODULE=alerts -e ECS_VERSION=v8.11.0 ecs-generator" -} - -# Ensure ECS_MODULE is provided -if [ -z "${ECS_MODULE:-}" ]; then - show_usage - exit 1 -fi - -# Function to remove multi-fields from the generated index template -remove_multi_fields() { - local in_file="$1" - local out_file="$2" - - jq 'del( - .mappings.properties.agent.properties.host.properties.os.properties.full.fields, - .mappings.properties.agent.properties.host.properties.os.properties.name.fields, - .mappings.properties.host.properties.os.properties.full.fields, - .mappings.properties.host.properties.os.properties.name.fields, - .mappings.properties.process.properties.command_line.fields, - .mappings.properties.process.properties.name.fields, - .mappings.properties.vulnerability.properties.description.fields - )' "$in_file" > "$out_file" -} - -# Function to generate mappings -generate_mappings() { - local ecs_module="$1" - local indexer_path="$2" - local ecs_version="$3" - - local in_files_dir="$indexer_path/ecs/$ecs_module/fields" - local out_dir="$indexer_path/ecs/$ecs_module/mappings/$ecs_version" - - # Ensure the output directory exists - mkdir -p "$out_dir" - - # Generate mappings - python scripts/generator.py --strict --ref "$ecs_version" \ - --include "$in_files_dir/custom/" \ - --subset "$in_files_dir/subset.yml" \ - --template-settings "$in_files_dir/template-settings.json" \ - --template-settings-legacy "$in_files_dir/template-settings-legacy.json" \ - --mapping-settings "$in_files_dir/mapping-settings.json" \ - --out "$out_dir" - - # Replace unsupported types - echo "Replacing unsupported types in generated mappings" - find "$out_dir" -type f -exec sed -i 's/constant_keyword/keyword/g' {} \; - find "$out_dir" -type f -exec sed -i 's/wildcard/keyword/g' {} \; - find "$out_dir" -type f -exec sed -i 's/match_only_text/keyword/g' {} \; - find "$out_dir" -type f -exec sed -i 's/flattened/flat_object/g' {} \; - find "$out_dir" -type f -exec sed -i 's/scaled_float/float/g' {} \; - find "$out_dir" -type f -exec sed -i '/scaling_factor/d' {} \; - - local in_file="$out_dir/generated/elasticsearch/legacy/template.json" - local out_file="$out_dir/generated/elasticsearch/legacy/template-tmp.json" - - # Delete the "tags" field from the index template - echo "Deleting the \"tags\" field from the index template" - jq 'del(.mappings.properties.tags)' "$in_file" > "$out_file" - mv "$out_file" "$in_file" - - # Remove multi-fields from the generated index template - echo "Removing multi-fields from the index template" - remove_multi_fields "$in_file" "$out_file" - mv "$out_file" "$in_file" - - # Transform legacy index template for OpenSearch compatibility - jq '{ - "index_patterns": .index_patterns, - "priority": .order, - "template": { - "settings": .settings, - "mappings": .mappings - } - }' "$in_file" > "$out_dir/generated/elasticsearch/legacy/opensearch-template.json" - - echo "Mappings saved to $out_dir" -} - -# Generate mappings -generate_mappings "$ECS_MODULE" "$ECS_SOURCE" "$ECS_VERSION" diff --git a/ecs/generator/mapping-generator.sh b/ecs/generator/mapping-generator.sh deleted file mode 100644 index 3fc2406e11354..0000000000000 --- a/ecs/generator/mapping-generator.sh +++ /dev/null @@ -1,79 +0,0 @@ -#!/bin/bash - -# Run the ECS generator tool container. -# Requirements: -# - Docker -# - Docker Compose - -set -e - -# The container is built only if needed, the tool can be executed several times -# for different modules in the same build since the script runs as entrypoint - - - -# ==== -# Checks that the script is run from the intended location -# ==== -function navigate_to_project_root() { - local repo_root_marker - local script_path - repo_root_marker=".github" - script_path=$(dirname "$(realpath "$0")") - - while [[ "$script_path" != "/" ]] && [[ ! -d "$script_path/$repo_root_marker" ]]; do - script_path=$(dirname "$script_path") - done - - if [[ "$script_path" == "/" ]]; then - echo "Error: Unable to find the repository root." - exit 1 - fi - - cd "$script_path" -} - -# ==== -# Displays usage information -# ==== -function usage() { - echo "Usage: $0 {run|down|stop} [REPO_PATH]" - exit 1 -} - -function main() { - local compose_filename="ecs/generator/mapping-generator.yml" - local compose_command - local module - local repo_path - - navigate_to_project_root - - compose_command="docker compose -f $compose_filename" - - case $1 in - run) - if [[ "$#" -lt 2 || "$#" -gt 3 ]]; then - usage - fi - module="$2" - repo_path="${3:-$(pwd)}" - - # Start the container with the required env variables - ECS_MODULE="$module" REPO_PATH="$repo_path" $compose_command up - # The containers are stopped after each execution - $compose_command stop - ;; - down) - $compose_command down - ;; - stop) - $compose_command stop - ;; - *) - usage - ;; - esac -} - -main "$@" diff --git a/ecs/generator/mapping-generator.yml b/ecs/generator/mapping-generator.yml deleted file mode 100644 index e0f54b0248f82..0000000000000 --- a/ecs/generator/mapping-generator.yml +++ /dev/null @@ -1,11 +0,0 @@ -services: - ecs-mapping-generator: - image: wazuh-ecs-generator - container_name: wazuh-ecs-generator - build: - context: ./../.. - dockerfile: ${REPO_PATH:-.}/ecs/generator/images/Dockerfile - volumes: - - ${REPO_PATH:-.}/ecs:/source/ecs - environment: - - ECS_MODULE=${ECS_MODULE} diff --git a/ecs/scripts/generate-pr-to-plugins.sh b/ecs/scripts/generate-pr-to-plugins.sh deleted file mode 100644 index 08303890a3c0f..0000000000000 --- a/ecs/scripts/generate-pr-to-plugins.sh +++ /dev/null @@ -1,296 +0,0 @@ -#!/usr/bin/env bash - -# Constants -ECS_VERSION=${ECS_VERSION:-v8.11.0} -MAPPINGS_SUBPATH="mappings/${ECS_VERSION}/generated/elasticsearch/legacy/template.json" -TEMPLATES_PATH="plugins/setup/src/main/resources/" -PLUGINS_REPO="wazuh/wazuh-indexer-plugins" -CURRENT_PATH=$(pwd) -OUTPUT_PATH=${OUTPUT_PATH:-"$CURRENT_PATH"/../output} -BASE_BRANCH=${BASE_BRANCH:-main} -PLUGINS_LOCAL_PATH=${PLUGINS_LOCAL_PATH:-"$CURRENT_PATH"/../wazuh-indexer-plugins} - -# Committer's identity -COMMITER_EMAIL=${COMMITER_EMAIL:-$(git config user.email)} -COMMITTER_USERNAME=${COMMITTER_USERNAME:-$(git config user.name)} # Human readable username - -# Global variables -declare -a relevant_modules -declare -A module_to_file - -# Check if a command exists on the system. -# Parameters: -# $1: Command to check. -command_exists() { - command -v "$1" &> /dev/null -} - -# Validate that all required dependencies are installed. -validate_dependencies() { - local required_commands=("docker" "docker-compose" "gh") - for cmd in "${required_commands[@]}"; do - if ! command_exists "$cmd"; then - echo "Error: $cmd is not installed. Please install it and try again." - exit 1 - fi - done -} - -# Check if the script is being executed in a GHA Workflow -check_running_on_gha() { - if [[ -n "${GITHUB_RUN_ID}" ]]; then - return 0 - else - return 1 - fi -} - -# Detect modified ECS modules by comparing the current branch with the base branch. -detect_modified_modules() { - echo - echo "---> Fetching and extracting modified ECS modules..." - git fetch origin +refs/heads/main:refs/remotes/origin/main - local modified_files - local updated_modules=() - modified_files=$(git diff --name-only origin/"$BASE_BRANCH") - - for file in $modified_files; do - if [[ $file == ecs/* ]]; then - ecs_module=$(echo "$file" | cut -d'/' -f2) - if [[ ! " ${updated_modules[*]} " =~ ${ecs_module} ]]; then - updated_modules+=("$ecs_module") - fi - fi - done - echo "Updated ECS modules: ${updated_modules[*]}" - - # Mapping section - module_to_file=( - [agent]="index-template-agent.json" - [alerts]="index-template-alerts.json" - [command]="index-template-commands.json" - [states-fim]="index-template-fim.json" - [states-inventory-hardware]="index-template-hardware.json" - [states-inventory-hotfixes]="index-template-hotfixes.json" - [states-inventory-networks]="index-template-networks.json" - [states-inventory-packages]="index-template-packages.json" - [states-inventory-ports]="index-template-ports.json" - [states-inventory-processes]="index-template-processes.json" - [states-inventory-scheduled-commands]="index-template-scheduled-commands.json" - [states-inventory-system]="index-template-system.json" - [states-vulnerabilities]="index-template-vulnerabilities.json" - ) - - relevant_modules=() - for ecs_module in "${updated_modules[@]}"; do - if [[ -n "${module_to_file[$ecs_module]}" ]]; then - relevant_modules+=("$ecs_module") - fi - done - echo "Relevant ECS modules: ${relevant_modules[*]}" -} - -# Run the ECS generator script for relevant modules. -run_ecs_generator() { - echo - echo "---> Running ECS Generator script..." - if [[ ${#relevant_modules[@]} -gt 0 ]]; then - for ecs_module in "${relevant_modules[@]}"; do - bash ecs/generator/mapping-generator.sh run "$ecs_module" - echo "Processed ECS module: $ecs_module" - bash ecs/generator/mapping-generator.sh down - done - else - echo "No relevant modifications detected in ecs/ directory." - exit 0 - fi -} - -# Clone the target repository and set up GitHub authentication. -clone_target_repo() { - # Clone the remote repository and change working directory to the - # folder it was cloned to. - echo - echo "---> Cloning ${PLUGINS_REPO} repository..." - if [ ! -d "$PLUGINS_LOCAL_PATH" ]; then - git clone \ - https://"$GITHUB_TOKEN"@github.com/$PLUGINS_REPO.git \ - "$PLUGINS_LOCAL_PATH" - fi - cd "$PLUGINS_LOCAL_PATH" || exit - - # Only for the GH Workflow - if check_running_on_gha; then - echo "Configuring Git for ${COMMITTER_USERNAME}" - configure_git - fi -} - -# Configure Git with the committer's identity and commit signing. -configure_git() { - # Setup the committers identity. - git config --global user.email "${COMMITER_EMAIL}" - git config --global user.name "${COMMITTER_USERNAME}" - - # Store the SSH key pair so Git can read it. - mkdir -p ~/.ssh/ - echo "${SSH_PRIVATE_KEY}" > ~/.ssh/id_ed25519_bot - echo "${SSH_PUBLIC_KEY}" > ~/.ssh/id_ed25519_bot.pub - chmod 600 ~/.ssh/id_ed25519_bot - chmod 644 ~/.ssh/id_ed25519_bot.pub - - # Setup commit signing - ssh-add ~/.ssh/id_ed25519_bot - git config --global gpg.format ssh - git config --global commit.gpgsign true - git config --global user.signingkey ~/.ssh/id_ed25519_bot.pub -} - -# Commit and push changes to the target repository. -commit_and_push_changes() { - echo - echo "---> Committing and pushing changes to ${PLUGINS_REPO} repository..." - git ls-remote --exit-code --heads origin "$BRANCH_NAME" >/dev/null 2>&1 - EXIT_CODE=$? - - if [[ $EXIT_CODE == '0' ]]; then - git checkout "$BRANCH_NAME" - git pull origin "$BRANCH_NAME" - else - git checkout -b "$BRANCH_NAME" - git push --set-upstream origin "$BRANCH_NAME" - fi - - echo "Copying ECS templates to the plugins repository..." - for ecs_module in "${relevant_modules[@]}"; do - target_file=${module_to_file[$ecs_module]} - if [[ -z "$target_file" ]]; then - continue - fi - # Save the template on the output path - mkdir -p "$OUTPUT_PATH" - cp "$CURRENT_PATH/ecs/$ecs_module/$MAPPINGS_SUBPATH" "$OUTPUT_PATH/$target_file" - # Copy the template to the plugins repository - mkdir -p $TEMPLATES_PATH - echo " - Copy template for module '$ecs_module' to '$target_file'" - cp "$CURRENT_PATH/ecs/$ecs_module/$MAPPINGS_SUBPATH" "$TEMPLATES_PATH/$target_file" - done - - git status --short - - if ! git diff-index --quiet HEAD --; then - echo "Changes detected. Committing and pushing to the repository..." - git add . - git commit -m "Update ECS templates for modified modules: ${relevant_modules[*]}" - git push - else - echo "Nothing to commit, working tree clean." - exit 0 - fi -} - -# Create or update a Pull Request with the modified ECS templates. -create_or_update_pr() { - echo - echo "---> Creating or updating Pull Request..." - - local existing_pr - local modules_body - local title - local body - - existing_pr=$(gh pr list --head "$BRANCH_NAME" --json number --jq '.[].number') - # Format modules - modules_body=$(printf -- '- %s\n' "${relevant_modules[@]}") - - # Create title and body with formatted modules list - title="[ECS Generator] Update index templates" - body=$(cat < token.txt - - # Authorize GitHub CLI for the current repository and - # create a pull-requests containing the updates. - gh auth login --with-token < token.txt - - if [ -z "$existing_pr" ]; then - output=$(gh pr create --title "$title" --body "$body" --base main --head "$BRANCH_NAME") - pr_url=$(echo "$output" | grep -oP 'https://github.com/\S+') - export PR_URL="$pr_url" - echo "New pull request created: $PR_URL" - else - echo "PR already exists: $existing_pr. Updating the PR..." - gh pr edit "$existing_pr" --body "$body" - pr_url=$(gh pr view "$existing_pr" --json url -q '.url') - export PR_URL="$pr_url" - echo "Pull request updated: $PR_URL" - fi - - # If the script is executed in a GHA, add a notice command. - if check_running_on_gha; then - echo "::notice::Pull Request URL:${PR_URL}" - fi -} - -# Display usage information. -usage() { - echo "Usage: $0 -b -t " - echo " -t [GITHUB_TOKEN] (Required) GitHub token to authenticate with GitHub API." - echo " -b [BRANCH_NAME] (Optional) Branch name to create or update the PR. Default: current branch." - echo " If not provided, the script will use the GITHUB_TOKEN environment variable." - exit 1 -} - -# Main function -main() { - while getopts ":b:t:o:" opt; do - case ${opt} in - b ) - BRANCH_NAME=$OPTARG - ;; - t ) - GITHUB_TOKEN=$OPTARG - ;; - o ) - if [[ "$OPTARG" == "./"* || ! "$OPTARG" =~ ^/ ]]; then - OPTARG="$(pwd)/${OPTARG#./}" - fi - OUTPUT_PATH=$OPTARG - ;; - \? ) - usage - ;; - : ) - echo "Invalid option: $OPTARG requires an argument" 1>&2 - usage - ;; - esac - done - - if [ -z "$BRANCH_NAME" ]; then - # Check if we are in a Git repository - if git rev-parse --is-inside-work-tree > /dev/null 2>&1; then - BRANCH_NAME=$(git rev-parse --abbrev-ref HEAD) - else - echo "Error: You are not in a Git repository." >&2 - exit 1 - fi - fi - - if [ -z "$BRANCH_NAME" ] || [ -z "$GITHUB_TOKEN" ]; then - usage - fi - - validate_dependencies - detect_modified_modules - run_ecs_generator # Exit if no changes on relevant modules. - clone_target_repo - commit_and_push_changes # Exit if no changes detected. - create_or_update_pr -} - -main "$@" diff --git a/ecs/states-fim/event-generator/event_generator.py b/ecs/states-fim/event-generator/event_generator.py deleted file mode 100644 index 5cd14d0b389c2..0000000000000 --- a/ecs/states-fim/event-generator/event_generator.py +++ /dev/null @@ -1,211 +0,0 @@ -#!/bin/python3 - -import datetime -import json -import logging -import random -import requests -import urllib3 - -# Constants and Configuration -LOG_FILE = 'generate_data.log' -GENERATED_DATA_FILE = 'generatedData.json' -DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" -# Default values -INDEX_NAME = "wazuh-states-fim" -USERNAME = "admin" -PASSWORD = "admin" -IP = "127.0.0.1" -PORT = "9200" - -# Configure logging -logging.basicConfig(filename=LOG_FILE, level=logging.INFO) - -# Suppress warnings -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - - -def generate_random_date(): - start_date = datetime.datetime.now() - end_date = start_date - datetime.timedelta(days=10) - random_date = start_date + (end_date - start_date) * random.random() - return random_date.strftime(DATE_FORMAT) - - -def generate_random_agent(): - agent = { - 'id': f'agent{random.randint(0, 99)}', - 'name': f'Agent{random.randint(0, 99)}', - 'type': random.choice(['filebeat', 'windows', 'linux', 'macos']), - 'version': f'v{random.randint(0, 9)}-stable', - 'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'], - 'host': generate_random_host() - } - return agent - - -def generate_random_host(): - host = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'boot': { - 'id': f'bootid{random.randint(0, 9999)}' - }, - 'cpu': { - 'usage': random.uniform(0, 100) - }, - 'disk': { - 'read': { - 'bytes': random.randint(1000, 1000000) - }, - 'write': { - 'bytes': random.randint(1000, 1000000) - } - }, - 'domain': f'domain{random.randint(0, 1000)}', - 'geo': { - 'city_name': 'CityName', - 'continent_code': 'NA', - 'continent_name': 'North America', - 'country_iso_code': 'US', - 'country_name': 'United States', - 'location': { - 'lat': round(random.uniform(-90, 90), 6), - 'lon': round(random.uniform(-180, 180), 6) - }, - 'name': f'hostname{random.randint(0, 999)}', - 'postal_code': f'{random.randint(10000, 99999)}', - 'region_iso_code': 'US-CA', - 'region_name': 'California', - 'timezone': 'America/Los_Angeles' - }, - 'hostname': f'host{random.randint(0, 1000)}', - 'id': f'id{random.randint(0, 1000)}', - 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', - 'name': f'host{random.randint(0, 1000)}', - 'network': { - 'egress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - }, - 'ingress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - } - }, - 'os': { - 'family': random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']), - 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', - 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', - 'name': random.choice(['Linux', 'Windows', 'macOS']), - 'platform': random.choice(['platform1', 'platform2']), - 'type': random.choice(['os_type1', 'os_type2']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - }, - 'pid_ns_ino': f'pid_ns{random.randint(0, 9999)}', - 'risk': { - 'calculated_level': random.choice(['low', 'medium', 'high']), - 'calculated_score': random.uniform(0, 10), - 'calculated_score_norm': random.uniform(0, 1), - 'static_level': random.choice(['low', 'medium', 'high']), - 'static_score': random.uniform(0, 10), - 'static_score_norm': random.uniform(0, 1) - }, - 'type': random.choice(['type1', 'type2']), - 'uptime': random.randint(1000, 1000000) - } - return host - - -def generate_random_file(): - file = { - 'attributes': random.choice(['attribute1', 'attribute2']), - 'gid': f'gid{random.randint(0, 1000)}', - 'group': f'group{random.randint(0, 1000)}', - 'hash': { - 'md5': f'{random.randint(0, 9999)}', - 'sha1': f'{random.randint(0, 9999)}', - 'sha256': f'{random.randint(0, 9999)}' - }, - 'inode': f'inode{random.randint(0, 1000)}', - 'mode': f'mode{random.randint(0, 1000)}', - 'mtime': generate_random_date(), - 'name': f'name{random.randint(0, 1000)}', - 'owner': f'owner{random.randint(0, 1000)}', - 'path': f'/path/to/file', - 'size': random.randint(1000, 1000000), - 'target_path': f'/path/to/target{random.randint(0, 1000)}', - 'type': random.choice(['file_type1', 'file_type2']), - 'uid': f'uid{random.randint(0, 1000)}' - } - return file - - -def generate_random_registry(): - registry = { - 'key': f'registry_key{random.randint(0, 1000)}', - 'value': f'registry_value{random.randint(0, 1000)}' - } - return registry - - -def generate_random_data(number): - data = [] - for _ in range(number): - event_data = { - 'agent': generate_random_agent(), - 'file': generate_random_file(), - 'registry': generate_random_registry() - } - data.append(event_data) - return data - - -def inject_events(ip, port, index, username, password, data): - url = f'https://{ip}:{port}/{index}/_doc' - session = requests.Session() - session.auth = (username, password) - session.verify = False - headers = {'Content-Type': 'application/json'} - - try: - for event_data in data: - response = session.post(url, json=event_data, headers=headers) - if response.status_code != 201: - logging.error(f'Error: {response.status_code}') - logging.error(response.text) - break - logging.info('Data injection completed successfully.') - except Exception as e: - logging.error(f'Error: {str(e)}') - - -def main(): - try: - number = int(input("How many events do you want to generate? ")) - except ValueError: - logging.error("Invalid input. Please enter a valid number.") - return - - logging.info(f"Generating {number} events...") - data = generate_random_data(number) - - with open(GENERATED_DATA_FILE, 'a') as outfile: - for event_data in data: - json.dump(event_data, outfile) - outfile.write('\n') - - logging.info('Data generation completed.') - - inject = input("Do you want to inject the generated data into your indexer? (y/n) ").strip().lower() - if inject == 'y': - ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP - port = input(f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT - index = input(f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME - username = input(f"Username (default: '{USERNAME}'): ") or USERNAME - password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD - inject_events(ip, port, index, username, password, data) - - -if __name__ == "__main__": - main() diff --git a/ecs/states-fim/fields/custom/agent.yml b/ecs/states-fim/fields/custom/agent.yml deleted file mode 100644 index fd3cb2e6c41c9..0000000000000 --- a/ecs/states-fim/fields/custom/agent.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: agent - title: Wazuh Agents - short: Wazuh Inc. custom fields. - type: group - group: 2 - fields: - - name: groups - type: keyword - level: custom - description: > - List of groups the agent belong to. \ No newline at end of file diff --git a/ecs/states-fim/fields/custom/host.yml b/ecs/states-fim/fields/custom/host.yml deleted file mode 100644 index a0356d13da657..0000000000000 --- a/ecs/states-fim/fields/custom/host.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: host - reusable: - top_level: true - expected: - - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/states-fim/fields/custom/os.yml b/ecs/states-fim/fields/custom/os.yml deleted file mode 100644 index 952c2d6e93a40..0000000000000 --- a/ecs/states-fim/fields/custom/os.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: os - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-fim/fields/custom/risk.yml b/ecs/states-fim/fields/custom/risk.yml deleted file mode 100644 index 1c06213bc6205..0000000000000 --- a/ecs/states-fim/fields/custom/risk.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: risk - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-fim/fields/mapping-settings.json b/ecs/states-fim/fields/mapping-settings.json deleted file mode 100644 index 0ad2b48fcc1be..0000000000000 --- a/ecs/states-fim/fields/mapping-settings.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "dynamic": "strict", - "date_detection": false -} \ No newline at end of file diff --git a/ecs/states-fim/fields/subset.yml b/ecs/states-fim/fields/subset.yml deleted file mode 100644 index 7eab78e238a21..0000000000000 --- a/ecs/states-fim/fields/subset.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -name: wazuh-states-fim -fields: - base: - fields: - tags: [] - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - file: - fields: - attributes: {} - name: {} - path: {} - gid: {} - group: {} - inode: {} - hash: - fields: - md5: {} - sha1: {} - sha256: {} - mtime: {} - mode: {} - size: {} - target_path: {} - type: {} - uid: {} - owner: {} - registry: - fields: - key: {} - value: {} diff --git a/ecs/states-fim/fields/template-settings-legacy.json b/ecs/states-fim/fields/template-settings-legacy.json deleted file mode 100644 index 91c05d65c44cf..0000000000000 --- a/ecs/states-fim/fields/template-settings-legacy.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "index_patterns": ["wazuh-states-fim*"], - "order": 1, - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "file.name", - "file.path", - "file.target_path", - "file.group", - "file.uid", - "file.gid" - ] - } - } -} diff --git a/ecs/states-fim/fields/template-settings.json b/ecs/states-fim/fields/template-settings.json deleted file mode 100644 index 4ecb7b7d3831c..0000000000000 --- a/ecs/states-fim/fields/template-settings.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "index_patterns": ["wazuh-states-fim*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "file.name", - "file.path", - "file.target_path", - "file.group", - "file.uid", - "file.gid" - ] - } - } - } -} diff --git a/ecs/states-inventory-hardware/event-generator/event_generator.py b/ecs/states-inventory-hardware/event-generator/event_generator.py deleted file mode 100644 index 680410b72f29b..0000000000000 --- a/ecs/states-inventory-hardware/event-generator/event_generator.py +++ /dev/null @@ -1,219 +0,0 @@ -#!/bin/python3 - -import datetime -import json -import logging -import random -import requests -import urllib3 - -# Constants and Configuration -LOG_FILE = 'generate_data.log' -GENERATED_DATA_FILE = 'generatedData.json' -DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" -# Default values -INDEX_NAME = "wazuh-states-inventory-hardware" -USERNAME = "admin" -PASSWORD = "admin" -IP = "127.0.0.1" -PORT = "9200" - -# Configure logging -logging.basicConfig(filename=LOG_FILE, level=logging.INFO) - -# Suppress warnings -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - - -def generate_random_date(): - start_date = datetime.datetime.now() - end_date = start_date - datetime.timedelta(days=10) - random_date = start_date + (end_date - start_date) * random.random() - return random_date.strftime(DATE_FORMAT) - - -def generate_random_agent(): - agent = { - 'id': f'agent{random.randint(0, 99)}', - 'name': f'Agent{random.randint(0, 99)}', - 'type': random.choice(['filebeat', 'windows', 'linux', 'macos']), - 'version': f'v{random.randint(0, 9)}-stable', - 'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'], - 'host': generate_random_host(False) - } - return agent - - -def generate_random_host(is_root_level=False): - if is_root_level: - host = { - 'cpu': { - 'cores': random.randint(1, 16), - 'name': f'CPU{random.randint(1, 999)}', - 'speed': random.randint(1000, 5000), - 'usage': random.uniform(0, 100) - }, - 'memory': { - 'free': random.randint(1000, 100000), - 'total': random.randint(1000, 100000), - 'used': { - 'percentage': random.uniform(0, 100) - } - } - } - else: - host = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'boot': { - 'id': f'bootid{random.randint(0, 9999)}' - }, - 'cpu': { - 'cores': random.randint(1, 16), - 'name': f'CPU{random.randint(1, 999)}', - 'speed': random.randint(1000, 5000), - 'usage': random.uniform(0, 100) - }, - 'disk': { - 'read': { - 'bytes': random.randint(1000, 1000000) - }, - 'write': { - 'bytes': random.randint(1000, 1000000) - } - }, - 'domain': f'domain{random.randint(0, 1000)}', - 'geo': generate_random_geo(), - 'hostname': f'host{random.randint(0, 1000)}', - 'id': f'id{random.randint(0, 1000)}', - 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', - 'memory': { - 'free': random.randint(1000, 100000), - 'total': random.randint(1000, 100000), - 'used': { - 'percentage': random.uniform(0, 100) - } - }, - 'name': f'host{random.randint(0, 1000)}', - 'network': { - 'egress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - }, - 'ingress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - } - }, - 'os': { - 'family': random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']), - 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', - 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', - 'name': random.choice(['Linux', 'Windows', 'macOS']), - 'platform': random.choice(['platform1', 'platform2']), - 'type': random.choice(['os_type1', 'os_type2']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - }, - 'pid_ns_ino': f'pid_ns{random.randint(0, 9999)}', - 'risk': { - 'calculated_level': random.choice(['low', 'medium', 'high']), - 'calculated_score': random.uniform(0, 10), - 'calculated_score_norm': random.uniform(0, 1), - 'static_level': random.choice(['low', 'medium', 'high']), - 'static_score': random.uniform(0, 10), - 'static_score_norm': random.uniform(0, 1) - }, - 'type': random.choice(['type1', 'type2']), - 'uptime': random.randint(1000, 1000000) - } - return host - - -def generate_random_geo(): - geo = { - 'city_name': 'CityName', - 'continent_code': 'NA', - 'continent_name': 'North America', - 'country_iso_code': 'US', - 'country_name': 'United States', - 'location': { - 'lat': round(random.uniform(-90, 90), 6), - 'lon': round(random.uniform(-180, 180), 6) - }, - 'name': f'location{random.randint(0, 999)}', - 'postal_code': f'{random.randint(10000, 99999)}', - 'region_iso_code': 'US-CA', - 'region_name': 'California', - 'timezone': 'America/Los_Angeles' - } - return geo - - -def generate_random_observer(): - observer = { - 'serial_number': f'serial{random.randint(0, 9999)}' - } - return observer - - -def generate_random_data(number): - data = [] - for _ in range(number): - event_data = { - '@timestamp': generate_random_date(), - 'agent': generate_random_agent(), - 'host': generate_random_host(True), - 'observer': generate_random_observer() - } - data.append(event_data) - return data - - -def inject_events(ip, port, index, username, password, data): - url = f'https://{ip}:{port}/{index}/_doc' - session = requests.Session() - session.auth = (username, password) - session.verify = False - headers = {'Content-Type': 'application/json'} - - try: - for event_data in data: - response = session.post(url, json=event_data, headers=headers) - if response.status_code != 201: - logging.error(f'Error: {response.status_code}') - logging.error(response.text) - break - logging.info('Data injection completed successfully.') - except Exception as e: - logging.error(f'Error: {str(e)}') - - -def main(): - try: - number = int(input("How many events do you want to generate? ")) - except ValueError: - logging.error("Invalid input. Please enter a valid number.") - return - - logging.info(f"Generating {number} events...") - data = generate_random_data(number) - - with open(GENERATED_DATA_FILE, 'a') as outfile: - for event_data in data: - json.dump(event_data, outfile) - outfile.write('\n') - - logging.info('Data generation completed.') - - inject = input("Do you want to inject the generated data into your indexer? (y/n) ").strip().lower() - if inject == 'y': - ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP - port = input(f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT - index = input(f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME - username = input(f"Username (default: '{USERNAME}'): ") or USERNAME - password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD - inject_events(ip, port, index, username, password, data) - - -if __name__ == "__main__": - main() diff --git a/ecs/states-inventory-hardware/fields/custom/agent.yml b/ecs/states-inventory-hardware/fields/custom/agent.yml deleted file mode 100644 index 9feecf4e2da98..0000000000000 --- a/ecs/states-inventory-hardware/fields/custom/agent.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: agent - title: Wazuh Agents - short: Wazuh Inc. custom fields. - type: group - group: 2 - fields: - - name: groups - type: keyword - level: custom - description: > - List of groups the agent belong to. diff --git a/ecs/states-inventory-hardware/fields/custom/host.yml b/ecs/states-inventory-hardware/fields/custom/host.yml deleted file mode 100644 index 7df6e4dacae6d..0000000000000 --- a/ecs/states-inventory-hardware/fields/custom/host.yml +++ /dev/null @@ -1,52 +0,0 @@ ---- -- name: host - reusable: - top_level: true - expected: - - { at: agent, as: host } - fields: - - name: memory - description: > - Memory related data - type: object - level: custom - - name: memory.total - description: > - Total memory in MB - type: long - level: custom - - name: memory.free - description: > - Free memory in MB - type: long - level: custom - - name: memory.used - description: > - Used memory related data - type: object - level: custom - - name: memory.used.percentage - description: > - Used memory percentage - type: long - level: custom - - name: cpu - description: > - CPU related data - type: object - level: custom - - name: cpu.name - description: > - CPU Model name - type: keyword - level: custom - - name: cpu.cores - description: > - Number of CPU cores - type: long - level: custom - - name: cpu.speed - description: > - CPU clock speed - type: long - level: custom \ No newline at end of file diff --git a/ecs/states-inventory-hardware/fields/custom/os.yml b/ecs/states-inventory-hardware/fields/custom/os.yml deleted file mode 100644 index 952c2d6e93a40..0000000000000 --- a/ecs/states-inventory-hardware/fields/custom/os.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: os - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-hardware/fields/custom/risk.yml b/ecs/states-inventory-hardware/fields/custom/risk.yml deleted file mode 100644 index 1c06213bc6205..0000000000000 --- a/ecs/states-inventory-hardware/fields/custom/risk.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: risk - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-hardware/fields/mapping-settings.json b/ecs/states-inventory-hardware/fields/mapping-settings.json deleted file mode 100644 index 0ad2b48fcc1be..0000000000000 --- a/ecs/states-inventory-hardware/fields/mapping-settings.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "dynamic": "strict", - "date_detection": false -} \ No newline at end of file diff --git a/ecs/states-inventory-hardware/fields/subset.yml b/ecs/states-inventory-hardware/fields/subset.yml deleted file mode 100644 index 74f2992a6ae9b..0000000000000 --- a/ecs/states-inventory-hardware/fields/subset.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -name: wazuh-states-inventory-hardware -fields: - base: - fields: - tags: [] - "@timestamp": {} - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - observer: - fields: - serial_number: {} - host: - fields: - memory: - fields: "*" - cpu: - fields: "*" diff --git a/ecs/states-inventory-hardware/fields/template-settings-legacy.json b/ecs/states-inventory-hardware/fields/template-settings-legacy.json deleted file mode 100644 index b2281742d219e..0000000000000 --- a/ecs/states-inventory-hardware/fields/template-settings-legacy.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "index_patterns": ["wazuh-states-inventory-hardware*"], - "order": 1, - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "observer.board_serial" - ] - } - } -} diff --git a/ecs/states-inventory-hardware/fields/template-settings.json b/ecs/states-inventory-hardware/fields/template-settings.json deleted file mode 100644 index d8cf7b772921c..0000000000000 --- a/ecs/states-inventory-hardware/fields/template-settings.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "index_patterns": [ - "wazuh-states-inventory-hardware*" - ], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "observer.board_serial" - ] - } - } - } -} \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/event-generator/event_generator.py b/ecs/states-inventory-hotfixes/event-generator/event_generator.py deleted file mode 100644 index 048315afb8313..0000000000000 --- a/ecs/states-inventory-hotfixes/event-generator/event_generator.py +++ /dev/null @@ -1,193 +0,0 @@ -#!/bin/python3 - -import datetime -import json -import logging -import random -import requests -import urllib3 - -# Constants and Configuration -LOG_FILE = 'generate_data.log' -GENERATED_DATA_FILE = 'generatedData.json' -DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" -# Default values -INDEX_NAME = "wazuh-states-inventory-hotfixes" -USERNAME = "admin" -PASSWORD = "admin" -IP = "127.0.0.1" -PORT = "9200" - -# Configure logging -logging.basicConfig(filename=LOG_FILE, level=logging.INFO) - -# Suppress warnings -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - - -def generate_random_date(): - start_date = datetime.datetime.now() - end_date = start_date - datetime.timedelta(days=10) - random_date = start_date + (end_date - start_date) * random.random() - return random_date.strftime(DATE_FORMAT) - - -def generate_random_agent(): - agent = { - 'id': f'agent{random.randint(0, 99)}', - 'name': f'Agent{random.randint(0, 99)}', - 'type': random.choice(['filebeat', 'windows', 'linux', 'macos']), - 'version': f'v{random.randint(0, 9)}-stable', - 'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'], - 'host': generate_random_host() - } - return agent - - -def generate_random_host(): - host = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'boot': { - 'id': f'bootid{random.randint(0, 9999)}' - }, - 'cpu': { - 'usage': random.uniform(0, 100) - }, - 'disk': { - 'read': { - 'bytes': random.randint(1000, 1000000) - }, - 'write': { - 'bytes': random.randint(1000, 1000000) - } - }, - 'domain': f'domain{random.randint(0, 1000)}', - 'geo': generate_random_geo(), - 'hostname': f'host{random.randint(0, 1000)}', - 'id': f'id{random.randint(0, 1000)}', - 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', - 'name': f'host{random.randint(0, 1000)}', - 'network': { - 'egress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - }, - 'ingress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - } - }, - 'os': { - 'family': random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']), - 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', - 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', - 'name': random.choice(['Linux', 'Windows', 'macOS']), - 'platform': random.choice(['platform1', 'platform2']), - 'type': random.choice(['os_type1', 'os_type2']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - }, - 'pid_ns_ino': f'pid_ns{random.randint(0, 9999)}', - 'risk': { - 'calculated_level': random.choice(['low', 'medium', 'high']), - 'calculated_score': random.uniform(0, 10), - 'calculated_score_norm': random.uniform(0, 1), - 'static_level': random.choice(['low', 'medium', 'high']), - 'static_score': random.uniform(0, 10), - 'static_score_norm': random.uniform(0, 1) - }, - 'type': random.choice(['type1', 'type2']), - 'uptime': random.randint(1000, 1000000) - } - return host - - -def generate_random_geo(): - geo = { - 'city_name': 'CityName', - 'continent_code': 'NA', - 'continent_name': 'North America', - 'country_iso_code': 'US', - 'country_name': 'United States', - 'location': { - 'lat': round(random.uniform(-90, 90), 6), - 'lon': round(random.uniform(-180, 180), 6) - }, - 'name': f'location{random.randint(0, 999)}', - 'postal_code': f'{random.randint(10000, 99999)}', - 'region_iso_code': 'US-CA', - 'region_name': 'California', - 'timezone': 'America/Los_Angeles' - } - return geo - - -def generate_random_package(): - package = { - 'hotfix': { - 'name': f'hotfix{random.randint(0, 9999)}' - } - } - return package - - -def generate_random_data(number): - data = [] - for _ in range(number): - event_data = { - '@timestamp': generate_random_date(), - 'agent': generate_random_agent(), - 'package': generate_random_package() - } - data.append(event_data) - return data - - -def inject_events(ip, port, index, username, password, data): - url = f'https://{ip}:{port}/{index}/_doc' - session = requests.Session() - session.auth = (username, password) - session.verify = False - headers = {'Content-Type': 'application/json'} - - try: - for event_data in data: - response = session.post(url, json=event_data, headers=headers) - if response.status_code != 201: - logging.error(f'Error: {response.status_code}') - logging.error(response.text) - break - logging.info('Data injection completed successfully.') - except Exception as e: - logging.error(f'Error: {str(e)}') - - -def main(): - try: - number = int(input("How many events do you want to generate? ")) - except ValueError: - logging.error("Invalid input. Please enter a valid number.") - return - - logging.info(f"Generating {number} events...") - data = generate_random_data(number) - - with open(GENERATED_DATA_FILE, 'a') as outfile: - for event_data in data: - json.dump(event_data, outfile) - outfile.write('\n') - - logging.info('Data generation completed.') - - inject = input("Do you want to inject the generated data into your indexer? (y/n) ").strip().lower() - if inject == 'y': - ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP - port = input(f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT - index = input(f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME - username = input(f"Username (default: '{USERNAME}'): ") or USERNAME - password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD - inject_events(ip, port, index, username, password, data) - - -if __name__ == "__main__": - main() diff --git a/ecs/states-inventory-hotfixes/fields/custom/agent.yml b/ecs/states-inventory-hotfixes/fields/custom/agent.yml deleted file mode 100644 index 9feecf4e2da98..0000000000000 --- a/ecs/states-inventory-hotfixes/fields/custom/agent.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: agent - title: Wazuh Agents - short: Wazuh Inc. custom fields. - type: group - group: 2 - fields: - - name: groups - type: keyword - level: custom - description: > - List of groups the agent belong to. diff --git a/ecs/states-inventory-hotfixes/fields/custom/host.yml b/ecs/states-inventory-hotfixes/fields/custom/host.yml deleted file mode 100644 index a0356d13da657..0000000000000 --- a/ecs/states-inventory-hotfixes/fields/custom/host.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: host - reusable: - top_level: true - expected: - - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/fields/custom/os.yml b/ecs/states-inventory-hotfixes/fields/custom/os.yml deleted file mode 100644 index 952c2d6e93a40..0000000000000 --- a/ecs/states-inventory-hotfixes/fields/custom/os.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: os - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/fields/custom/package.yml b/ecs/states-inventory-hotfixes/fields/custom/package.yml deleted file mode 100644 index deee7e1a03e63..0000000000000 --- a/ecs/states-inventory-hotfixes/fields/custom/package.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: package - title: Package - type: group - group: 2 - description: > - Package related data. - fields: - - name: hotfix - type: object - level: custom - group: 2 - description: > - Hotfix related data. - - name: hotfix.name - type: keyword - level: custom - description: > - Name of the Hotfix. \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/fields/custom/risk.yml b/ecs/states-inventory-hotfixes/fields/custom/risk.yml deleted file mode 100644 index 1c06213bc6205..0000000000000 --- a/ecs/states-inventory-hotfixes/fields/custom/risk.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: risk - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/fields/mapping-settings.json b/ecs/states-inventory-hotfixes/fields/mapping-settings.json deleted file mode 100644 index 0ad2b48fcc1be..0000000000000 --- a/ecs/states-inventory-hotfixes/fields/mapping-settings.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "dynamic": "strict", - "date_detection": false -} \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/fields/subset.yml b/ecs/states-inventory-hotfixes/fields/subset.yml deleted file mode 100644 index 3cbf6f38f132f..0000000000000 --- a/ecs/states-inventory-hotfixes/fields/subset.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -name: wazuh-states-inventory-hotfixes -fields: - base: - fields: - tags: [] - "@timestamp": {} - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - package: - fields: - hotfix: - fields: - name: {} diff --git a/ecs/states-inventory-hotfixes/fields/template-settings-legacy.json b/ecs/states-inventory-hotfixes/fields/template-settings-legacy.json deleted file mode 100644 index 390711717339d..0000000000000 --- a/ecs/states-inventory-hotfixes/fields/template-settings-legacy.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "index_patterns": ["wazuh-states-inventory-hotfixes*"], - "order": 1, - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "package.hotfix.name" - ] - } - } -} diff --git a/ecs/states-inventory-hotfixes/fields/template-settings.json b/ecs/states-inventory-hotfixes/fields/template-settings.json deleted file mode 100644 index 0312d23702aa4..0000000000000 --- a/ecs/states-inventory-hotfixes/fields/template-settings.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "index_patterns": [ - "wazuh-states-inventory-hotfixes*" - ], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "package.hotfix.name" - ] - } - } - } -} \ No newline at end of file diff --git a/ecs/states-inventory-networks/event-generator/event_generator.py b/ecs/states-inventory-networks/event-generator/event_generator.py deleted file mode 100644 index 46c479d8a8e65..0000000000000 --- a/ecs/states-inventory-networks/event-generator/event_generator.py +++ /dev/null @@ -1,247 +0,0 @@ -#!/bin/python3 - -import datetime -import json -import logging -import random -import requests -import urllib3 - -# Constants and Configuration -LOG_FILE = 'generate_data.log' -GENERATED_DATA_FILE = 'generatedData.json' -DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" -# Default values -INDEX_NAME = "wazuh-states-inventory-networks" -USERNAME = "admin" -PASSWORD = "admin" -IP = "127.0.0.1" -PORT = "9200" - -# Configure logging -logging.basicConfig(filename=LOG_FILE, level=logging.INFO) - -# Suppress warnings -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - - -def generate_random_date(): - start_date = datetime.datetime.now() - end_date = start_date - datetime.timedelta(days=10) - random_date = start_date + (end_date - start_date) * random.random() - return random_date.strftime(DATE_FORMAT) - - -def generate_random_agent(): - agent = { - 'id': f'agent{random.randint(0, 99)}', - 'name': f'Agent{random.randint(0, 99)}', - 'type': random.choice(['filebeat', 'windows', 'linux', 'macos']), - 'version': f'v{random.randint(0, 9)}-stable', - 'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'], - 'host': generate_random_host(False) - } - return agent - - -def generate_random_host(is_root_level_level=False): - if is_root_level_level: - host = { - 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', - 'network': { - 'egress': { - 'bytes': random.randint(1000, 1000000), - 'drops': random.randint(0, 100), - 'errors': random.randint(0, 100), - 'packets': random.randint(100, 10000) - }, - 'ingress': { - 'bytes': random.randint(1000, 1000000), - 'drops': random.randint(0, 100), - 'errors': random.randint(0, 100), - 'packets': random.randint(100, 10000) - } - } - } - else: - host = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'boot': { - 'id': f'bootid{random.randint(0, 9999)}' - }, - 'cpu': { - 'usage': random.uniform(0, 100) - }, - 'disk': { - 'read': { - 'bytes': random.randint(1000, 1000000) - }, - 'write': { - 'bytes': random.randint(1000, 1000000) - } - }, - 'domain': f'domain{random.randint(0, 1000)}', - 'geo': generate_random_geo(), - 'hostname': f'host{random.randint(0, 1000)}', - 'id': f'id{random.randint(0, 1000)}', - 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', - 'name': f'host{random.randint(0, 1000)}', - 'network': { - 'egress': { - 'bytes': random.randint(1000, 1000000), - 'drops': random.randint(0, 100), - 'errors': random.randint(0, 100), - 'packets': random.randint(100, 10000) - }, - 'ingress': { - 'bytes': random.randint(1000, 1000000), - 'drops': random.randint(0, 100), - 'errors': random.randint(0, 100), - 'packets': random.randint(100, 10000) - } - }, - 'os': { - 'family': random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']), - 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', - 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', - 'name': random.choice(['Linux', 'Windows', 'macOS']), - 'platform': random.choice(['platform1', 'platform2']), - 'type': random.choice(['os_type1', 'os_type2']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - }, - 'pid_ns_ino': f'pid_ns{random.randint(0, 9999)}', - 'risk': { - 'calculated_level': random.choice(['low', 'medium', 'high']), - 'calculated_score': random.uniform(0, 10), - 'calculated_score_norm': random.uniform(0, 1), - 'static_level': random.choice(['low', 'medium', 'high']), - 'static_score': random.uniform(0, 10), - 'static_score_norm': random.uniform(0, 1) - }, - 'type': random.choice(['type1', 'type2']), - 'uptime': random.randint(1000, 1000000) - } - return host - - -def generate_random_geo(): - geo = { - 'city_name': 'CityName', - 'continent_code': 'NA', - 'continent_name': 'North America', - 'country_iso_code': 'US', - 'country_name': 'United States', - 'location': { - 'lat': round(random.uniform(-90, 90), 6), - 'lon': round(random.uniform(-180, 180), 6) - }, - 'name': f'location{random.randint(0, 999)}', - 'postal_code': f'{random.randint(10000, 99999)}', - 'region_iso_code': 'US-CA', - 'region_name': 'California', - 'timezone': 'America/Los_Angeles' - } - return geo - - -def generate_random_network(): - network = { - 'broadcast': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'dhcp': f'dhcp{random.randint(0, 9999)}', - 'gateway': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'metric': random.randint(1, 100), - 'netmask': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'protocol': random.choice(['TCP', 'UDP', 'ICMP']), - 'type': random.choice(['wired', 'wireless']) - } - return network - -def generate_random_interface(is_root_level=False): - if is_root_level: - interface = { - 'mtu': f'{random.randint(1000000, 99999999)}', - 'state': random.choice(['Active', 'Inactive', 'Unknown']), - 'type': random.choice(['wireless', 'ethernet']) - } - else: - interface = { - 'alias': f'alias{random.randint(0, 9999)}', - 'name': f'name{random.randint(0, 9999)}', - } - - return interface - -def generate_random_observer(): - observer = { - 'ingress': { - 'interface': generate_random_interface(False) - } - } - return observer - - -def generate_random_data(number): - data = [] - for _ in range(number): - event_data = { - '@timestamp': generate_random_date(), - 'agent': generate_random_agent(), - 'host': generate_random_host(True), - 'network': generate_random_network(), - 'observer': generate_random_observer(), - 'interface': generate_random_interface(True) - } - data.append(event_data) - return data - - -def inject_events(ip, port, index, username, password, data): - url = f'https://{ip}:{port}/{index}/_doc' - session = requests.Session() - session.auth = (username, password) - session.verify = False - headers = {'Content-Type': 'application/json'} - - try: - for event_data in data: - response = session.post(url, json=event_data, headers=headers) - if response.status_code != 201: - logging.error(f'Error: {response.status_code}') - logging.error(response.text) - break - logging.info('Data injection completed successfully.') - except Exception as e: - logging.error(f'Error: {str(e)}') - - -def main(): - try: - number = int(input("How many events do you want to generate? ")) - except ValueError: - logging.error("Invalid input. Please enter a valid number.") - return - - logging.info(f"Generating {number} events...") - data = generate_random_data(number) - - with open(GENERATED_DATA_FILE, 'a') as outfile: - for event_data in data: - json.dump(event_data, outfile) - outfile.write('\n') - - logging.info('Data generation completed.') - - inject = input("Do you want to inject the generated data into your indexer? (y/n) ").strip().lower() - if inject == 'y': - ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP - port = input(f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT - index = input(f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME - username = input(f"Username (default: '{USERNAME}'): ") or USERNAME - password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD - inject_events(ip, port, index, username, password, data) - - -if __name__ == "__main__": - main() diff --git a/ecs/states-inventory-networks/fields/custom/agent.yml b/ecs/states-inventory-networks/fields/custom/agent.yml deleted file mode 100644 index 9feecf4e2da98..0000000000000 --- a/ecs/states-inventory-networks/fields/custom/agent.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: agent - title: Wazuh Agents - short: Wazuh Inc. custom fields. - type: group - group: 2 - fields: - - name: groups - type: keyword - level: custom - description: > - List of groups the agent belong to. diff --git a/ecs/states-inventory-networks/fields/custom/host.yml b/ecs/states-inventory-networks/fields/custom/host.yml deleted file mode 100644 index dada3cf6c0288..0000000000000 --- a/ecs/states-inventory-networks/fields/custom/host.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -- name: host - reusable: - top_level: true - expected: - - { at: agent, as: host } - fields: - - name: network.egress.drops - type: long - level: custom - description: > - Number of dropped transmitted packets. - - name: network.egress.errors - type: long - level: custom - description: > - Number of transmission errors. - - name: network.ingress.drops - type: long - level: custom - description: > - Number of dropped received packets. - - name: network.ingress.errors - type: long - level: custom - description: > - Number of reception errors. \ No newline at end of file diff --git a/ecs/states-inventory-networks/fields/custom/interface.yml b/ecs/states-inventory-networks/fields/custom/interface.yml deleted file mode 100644 index 4d9a5625f22f0..0000000000000 --- a/ecs/states-inventory-networks/fields/custom/interface.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -- name: interface - reusable: - top_level: true - expected: - - { at: observer.egress.interface, as: observer.ingress.interface } - title: Interface - type: group - group: 2 - description: > - Network interface related data. - fields: - - name: mtu - type: long - level: custom - description: > - Maximum transmission unit size. - - name: state - type: keyword - level: custom - description: > - State of the network interface. - - name: type - type: keyword - level: custom - description: > - Interface type. diff --git a/ecs/states-inventory-networks/fields/custom/network.yml b/ecs/states-inventory-networks/fields/custom/network.yml deleted file mode 100644 index 2387fdd645b68..0000000000000 --- a/ecs/states-inventory-networks/fields/custom/network.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- -- name: network - title: Network - type: group - group: 2 - description: > - Network related data. - fields: - - name: broadcast - type: ip - level: custom - description: > - Broadcast address - - name: dhcp - type: keyword - level: custom - description: > - DHCP status (enabled, disabled, unknown, BOOTP) - - name: gateway - type: ip - level: custom - description: > - Gateway address - - name: metric - type: long - level: custom - description: > - Metric of the network protocol - - name: netmask - type: ip - level: custom - description: > - Network mask diff --git a/ecs/states-inventory-networks/fields/custom/os.yml b/ecs/states-inventory-networks/fields/custom/os.yml deleted file mode 100644 index 952c2d6e93a40..0000000000000 --- a/ecs/states-inventory-networks/fields/custom/os.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: os - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-networks/fields/custom/risk.yml b/ecs/states-inventory-networks/fields/custom/risk.yml deleted file mode 100644 index 1c06213bc6205..0000000000000 --- a/ecs/states-inventory-networks/fields/custom/risk.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: risk - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-networks/fields/mapping-settings.json b/ecs/states-inventory-networks/fields/mapping-settings.json deleted file mode 100644 index 0ad2b48fcc1be..0000000000000 --- a/ecs/states-inventory-networks/fields/mapping-settings.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "dynamic": "strict", - "date_detection": false -} \ No newline at end of file diff --git a/ecs/states-inventory-networks/fields/subset.yml b/ecs/states-inventory-networks/fields/subset.yml deleted file mode 100644 index 24392a19582a2..0000000000000 --- a/ecs/states-inventory-networks/fields/subset.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- -name: wazuh-states-inventory-networks -fields: - base: - fields: - tags: [] - "@timestamp": {} - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - host: - fields: "*" - interface: - fields: - mtu: {} - state: {} - type: {} - network: - fields: - broadcast: {} - dhcp: {} - gateway: {} - metric: {} - netmask: {} - protocol: {} - type: {} - observer: - fields: - ingress: - fields: - interface: - fields: - alias: {} - name: {} diff --git a/ecs/states-inventory-networks/fields/template-settings-legacy.json b/ecs/states-inventory-networks/fields/template-settings-legacy.json deleted file mode 100644 index 1f45768296427..0000000000000 --- a/ecs/states-inventory-networks/fields/template-settings-legacy.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "index_patterns": ["wazuh-states-inventory-networks*"], - "order": 1, - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "device.id", - "event.id", - "host.ip", - "observer.ingress.interface.name", - "observer.ingress.interface.alias", - "process.name" - ] - } - } -} diff --git a/ecs/states-inventory-networks/fields/template-settings.json b/ecs/states-inventory-networks/fields/template-settings.json deleted file mode 100644 index a5607e1012689..0000000000000 --- a/ecs/states-inventory-networks/fields/template-settings.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "index_patterns": [ - "wazuh-states-inventory-networks*" - ], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "device.id", - "event.id", - "host.ip", - "observer.ingress.interface.name", - "observer.ingress.interface.alias", - "process.name" - ] - } - } - } -} \ No newline at end of file diff --git a/ecs/states-inventory-packages/event-generator/event_generator.py b/ecs/states-inventory-packages/event-generator/event_generator.py deleted file mode 100644 index 77034d735931e..0000000000000 --- a/ecs/states-inventory-packages/event-generator/event_generator.py +++ /dev/null @@ -1,198 +0,0 @@ -#!/bin/python3 - -import datetime -import json -import logging -import random -import requests -import urllib3 - -# Constants and Configuration -LOG_FILE = 'generate_data.log' -GENERATED_DATA_FILE = 'generatedData.json' -DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" -# Default values -INDEX_NAME = "wazuh-states-inventory-packages" -USERNAME = "admin" -PASSWORD = "admin" -IP = "127.0.0.1" -PORT = "9200" - -# Configure logging -logging.basicConfig(filename=LOG_FILE, level=logging.INFO) - -# Suppress warnings -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - - -def generate_random_date(): - start_date = datetime.datetime.now() - end_date = start_date - datetime.timedelta(days=10) - random_date = start_date + (end_date - start_date) * random.random() - return random_date.strftime(DATE_FORMAT) - - -def generate_random_agent(): - agent = { - 'id': f'agent{random.randint(0, 99)}', - 'name': f'Agent{random.randint(0, 99)}', - 'type': random.choice(['filebeat', 'windows', 'linux', 'macos']), - 'version': f'v{random.randint(0, 9)}-stable', - 'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'], - 'host': generate_random_host() - } - return agent - - -def generate_random_host(): - host = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'boot': { - 'id': f'bootid{random.randint(0, 9999)}' - }, - 'cpu': { - 'usage': random.uniform(0, 100) - }, - 'disk': { - 'read': { - 'bytes': random.randint(1000, 1000000) - }, - 'write': { - 'bytes': random.randint(1000, 1000000) - } - }, - 'domain': f'domain{random.randint(0, 1000)}', - 'geo': generate_random_geo(), - 'hostname': f'host{random.randint(0, 1000)}', - 'id': f'id{random.randint(0, 1000)}', - 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', - 'name': f'host{random.randint(0, 1000)}', - 'network': { - 'egress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - }, - 'ingress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - } - }, - 'os': { - 'family': random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']), - 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', - 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', - 'name': random.choice(['Linux', 'Windows', 'macOS']), - 'platform': random.choice(['platform1', 'platform2']), - 'type': random.choice(['os_type1', 'os_type2']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - }, - 'pid_ns_ino': f'pid_ns{random.randint(0, 9999)}', - 'risk': { - 'calculated_level': random.choice(['low', 'medium', 'high']), - 'calculated_score': random.uniform(0, 10), - 'calculated_score_norm': random.uniform(0, 1), - 'static_level': random.choice(['low', 'medium', 'high']), - 'static_score': random.uniform(0, 10), - 'static_score_norm': random.uniform(0, 1) - }, - 'type': random.choice(['type1', 'type2']), - 'uptime': random.randint(1000, 1000000) - } - return host - - -def generate_random_geo(): - geo = { - 'city_name': 'CityName', - 'continent_code': 'NA', - 'continent_name': 'North America', - 'country_iso_code': 'US', - 'country_name': 'United States', - 'location': { - 'lat': round(random.uniform(-90, 90), 6), - 'lon': round(random.uniform(-180, 180), 6) - }, - 'name': f'location{random.randint(0, 999)}', - 'postal_code': f'{random.randint(10000, 99999)}', - 'region_iso_code': 'US-CA', - 'region_name': 'California', - 'timezone': 'America/Los_Angeles' - } - return geo - - -def generate_random_package(): - package = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'description': f'description{random.randint(0, 9999)}', - 'installed': generate_random_date(), - 'name': f'package{random.randint(0, 9999)}', - 'path': f'/path/to/package{random.randint(0, 9999)}', - 'size': random.randint(1000, 100000), - 'type': random.choice(['deb', 'rpm']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - } - return package - - -def generate_random_data(number): - data = [] - for _ in range(number): - event_data = { - '@timestamp': generate_random_date(), - 'agent': generate_random_agent(), - 'package': generate_random_package() - } - data.append(event_data) - return data - - -def inject_events(ip, port, index, username, password, data): - url = f'https://{ip}:{port}/{index}/_doc' - session = requests.Session() - session.auth = (username, password) - session.verify = False - headers = {'Content-Type': 'application/json'} - - try: - for event_data in data: - response = session.post(url, json=event_data, headers=headers) - if response.status_code != 201: - logging.error(f'Error: {response.status_code}') - logging.error(response.text) - break - logging.info('Data injection completed successfully.') - except Exception as e: - logging.error(f'Error: {str(e)}') - - -def main(): - try: - number = int(input("How many events do you want to generate? ")) - except ValueError: - logging.error("Invalid input. Please enter a valid number.") - return - - logging.info(f"Generating {number} events...") - data = generate_random_data(number) - - with open(GENERATED_DATA_FILE, 'a') as outfile: - for event_data in data: - json.dump(event_data, outfile) - outfile.write('\n') - - logging.info('Data generation completed.') - - inject = input("Do you want to inject the generated data into your indexer? (y/n) ").strip().lower() - if inject == 'y': - ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP - port = input(f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT - index = input(f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME - username = input(f"Username (default: '{USERNAME}'): ") or USERNAME - password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD - inject_events(ip, port, index, username, password, data) - - -if __name__ == "__main__": - main() diff --git a/ecs/states-inventory-packages/fields/custom/agent.yml b/ecs/states-inventory-packages/fields/custom/agent.yml deleted file mode 100644 index 9feecf4e2da98..0000000000000 --- a/ecs/states-inventory-packages/fields/custom/agent.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: agent - title: Wazuh Agents - short: Wazuh Inc. custom fields. - type: group - group: 2 - fields: - - name: groups - type: keyword - level: custom - description: > - List of groups the agent belong to. diff --git a/ecs/states-inventory-packages/fields/custom/host.yml b/ecs/states-inventory-packages/fields/custom/host.yml deleted file mode 100644 index 919648bc0832f..0000000000000 --- a/ecs/states-inventory-packages/fields/custom/host.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: host - reusable: - top_level: false - expected: - - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/states-inventory-packages/fields/custom/os.yml b/ecs/states-inventory-packages/fields/custom/os.yml deleted file mode 100644 index 952c2d6e93a40..0000000000000 --- a/ecs/states-inventory-packages/fields/custom/os.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: os - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-packages/fields/custom/risk.yml b/ecs/states-inventory-packages/fields/custom/risk.yml deleted file mode 100644 index 1c06213bc6205..0000000000000 --- a/ecs/states-inventory-packages/fields/custom/risk.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: risk - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-packages/fields/mapping-settings.json b/ecs/states-inventory-packages/fields/mapping-settings.json deleted file mode 100644 index 0ad2b48fcc1be..0000000000000 --- a/ecs/states-inventory-packages/fields/mapping-settings.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "dynamic": "strict", - "date_detection": false -} \ No newline at end of file diff --git a/ecs/states-inventory-packages/fields/subset.yml b/ecs/states-inventory-packages/fields/subset.yml deleted file mode 100644 index 00ebd0b231be4..0000000000000 --- a/ecs/states-inventory-packages/fields/subset.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -name: wazuh-states-inventory-packages -fields: - base: - fields: - "@timestamp": {} - tags: [] - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - package: - fields: - architecture: "" - description: "" - installed: {} - name: "" - path: "" - size: {} - type: "" - version: "" diff --git a/ecs/states-inventory-packages/fields/template-settings-legacy.json b/ecs/states-inventory-packages/fields/template-settings-legacy.json deleted file mode 100644 index ca085a0dad45d..0000000000000 --- a/ecs/states-inventory-packages/fields/template-settings-legacy.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "index_patterns": ["wazuh-states-inventory-packages*"], - "order": 1, - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "package.architecture", - "package.name", - "package.version", - "package.type" - ] - } - } -} diff --git a/ecs/states-inventory-packages/fields/template-settings.json b/ecs/states-inventory-packages/fields/template-settings.json deleted file mode 100644 index e6cd3078a8325..0000000000000 --- a/ecs/states-inventory-packages/fields/template-settings.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "index_patterns": ["wazuh-states-inventory-packages*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "package.architecture", - "package.name", - "package.version", - "package.type" - ] - } - } - } -} diff --git a/ecs/states-inventory-ports/event-generator/event_generator.py b/ecs/states-inventory-ports/event-generator/event_generator.py deleted file mode 100644 index 5f0c13a3b513c..0000000000000 --- a/ecs/states-inventory-ports/event-generator/event_generator.py +++ /dev/null @@ -1,247 +0,0 @@ -#!/bin/python3 - -import datetime -import json -import logging -import random -import requests -import urllib3 - -# Constants and Configuration -LOG_FILE = 'generate_data.log' -GENERATED_DATA_FILE = 'generatedData.json' -DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" -# Default values -INDEX_NAME = "wazuh-states-inventory-ports" -USERNAME = "admin" -PASSWORD = "admin" -IP = "127.0.0.1" -PORT = "9200" - -# Configure logging -logging.basicConfig(filename=LOG_FILE, level=logging.INFO) - -# Suppress warnings -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - - -def generate_random_date(): - start_date = datetime.datetime.now() - end_date = start_date - datetime.timedelta(days=10) - random_date = start_date + (end_date - start_date) * random.random() - return random_date.strftime(DATE_FORMAT) - - -def generate_random_agent(): - agent = { - 'id': f'agent{random.randint(0, 99)}', - 'name': f'Agent{random.randint(0, 99)}', - 'type': random.choice(['filebeat', 'windows', 'linux', 'macos']), - 'version': f'v{random.randint(0, 9)}-stable', - 'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'], - 'host': generate_random_host(False) - } - return agent - - -def generate_random_host(is_root_level=False): - if is_root_level: - host = { - 'network': { - 'egress': { - 'queue': random.randint(0, 1000) - }, - 'ingress': { - 'queue': random.randint(0, 1000) - } - } - } - else: - host = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'boot': { - 'id': f'bootid{random.randint(0, 9999)}' - }, - 'cpu': { - 'usage': random.uniform(0, 100) - }, - 'disk': { - 'read': { - 'bytes': random.randint(1000, 1000000) - }, - 'write': { - 'bytes': random.randint(1000, 1000000) - } - }, - 'domain': f'domain{random.randint(0, 1000)}', - 'geo': generate_random_geo(), - 'hostname': f'host{random.randint(0, 1000)}', - 'id': f'id{random.randint(0, 1000)}', - 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', - 'name': f'host{random.randint(0, 1000)}', - 'network': { - 'egress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000), - 'queue': random.randint(0, 1000) - }, - 'ingress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000), - 'queue': random.randint(0, 1000) - } - }, - 'os': { - 'family': random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']), - 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', - 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', - 'name': random.choice(['Linux', 'Windows', 'macOS']), - 'platform': random.choice(['platform1', 'platform2']), - 'type': random.choice(['os_type1', 'os_type2']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - }, - 'pid_ns_ino': f'pid_ns{random.randint(0, 9999)}', - 'risk': { - 'calculated_level': random.choice(['low', 'medium', 'high']), - 'calculated_score': random.uniform(0, 10), - 'calculated_score_norm': random.uniform(0, 1), - 'static_level': random.choice(['low', 'medium', 'high']), - 'static_score': random.uniform(0, 10), - 'static_score_norm': random.uniform(0, 1) - }, - 'type': random.choice(['type1', 'type2']), - 'uptime': random.randint(1000, 1000000) - } - return host - - -def generate_random_geo(): - geo = { - 'city_name': 'CityName', - 'continent_code': 'NA', - 'continent_name': 'North America', - 'country_iso_code': 'US', - 'country_name': 'United States', - 'location': { - 'lat': round(random.uniform(-90, 90), 6), - 'lon': round(random.uniform(-180, 180), 6) - }, - 'name': f'location{random.randint(0, 999)}', - 'postal_code': f'{random.randint(10000, 99999)}', - 'region_iso_code': 'US-CA', - 'region_name': 'California', - 'timezone': 'America/Los_Angeles' - } - return geo - - -def generate_random_destination(): - destination = { - 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'port': random.randint(0, 65535) - } - return destination - - -def generate_random_device(): - device = { - 'id': f'device{random.randint(0, 9999)}' - } - return device - - -def generate_random_file(): - file = { - 'inode': f'inode{random.randint(0, 9999)}' - } - return file - - -def generate_random_process(): - process = { - 'name': f'process{random.randint(0, 9999)}', - 'pid': random.randint(0, 99999) - } - return process - - -def generate_random_source(): - source = { - 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'port': random.randint(0, 65535) - } - return source - - -def generate_random_data(number): - data = [] - for _ in range(number): - event_data = { - '@timestamp': generate_random_date(), - 'agent': generate_random_agent(), - 'destination': generate_random_destination(), - 'device': generate_random_device(), - 'file': generate_random_file(), - 'host': generate_random_host(True), - 'network': { - 'protocol': random.choice(['TCP', 'UDP', 'ICMP']) - }, - 'process': generate_random_process(), - 'source': generate_random_source(), - 'interface': { - 'state': random.choice(['Active', 'Inactive', 'Unknown']) - } - } - data.append(event_data) - return data - - -def inject_events(ip, port, index, username, password, data): - url = f'https://{ip}:{port}/{index}/_doc' - session = requests.Session() - session.auth = (username, password) - session.verify = False - headers = {'Content-Type': 'application/json'} - - try: - for event_data in data: - response = session.post(url, json=event_data, headers=headers) - if response.status_code != 201: - logging.error(f'Error: {response.status_code}') - logging.error(response.text) - break - logging.info('Data injection completed successfully.') - except Exception as e: - logging.error(f'Error: {str(e)}') - - -def main(): - try: - number = int(input("How many events do you want to generate? ")) - except ValueError: - logging.error("Invalid input. Please enter a valid number.") - return - - logging.info(f"Generating {number} events...") - data = generate_random_data(number) - - with open(GENERATED_DATA_FILE, 'a') as outfile: - for event_data in data: - json.dump(event_data, outfile) - outfile.write('\n') - - logging.info('Data generation completed.') - - inject = input("Do you want to inject the generated data into your indexer? (y/n) ").strip().lower() - if inject == 'y': - ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP - port = input(f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT - index = input(f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME - username = input(f"Username (default: '{USERNAME}'): ") or USERNAME - password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD - inject_events(ip, port, index, username, password, data) - - -if __name__ == "__main__": - main() diff --git a/ecs/states-inventory-ports/fields/custom/agent.yml b/ecs/states-inventory-ports/fields/custom/agent.yml deleted file mode 100644 index 9feecf4e2da98..0000000000000 --- a/ecs/states-inventory-ports/fields/custom/agent.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: agent - title: Wazuh Agents - short: Wazuh Inc. custom fields. - type: group - group: 2 - fields: - - name: groups - type: keyword - level: custom - description: > - List of groups the agent belong to. diff --git a/ecs/states-inventory-ports/fields/custom/host.yml b/ecs/states-inventory-ports/fields/custom/host.yml deleted file mode 100644 index 1ce10e63f92d4..0000000000000 --- a/ecs/states-inventory-ports/fields/custom/host.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- name: host - reusable: - top_level: true - expected: - - { at: agent, as: host } - fields: - - name: network.ingress.queue - type: long - level: custom - description: > - Receive queue length. - - name: network.egress.queue - type: long - level: custom - description: > - Transmit queue length. \ No newline at end of file diff --git a/ecs/states-inventory-ports/fields/custom/interface.yml b/ecs/states-inventory-ports/fields/custom/interface.yml deleted file mode 100644 index e2cd63e94f3b2..0000000000000 --- a/ecs/states-inventory-ports/fields/custom/interface.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- name: interface - reusable: - top_level: true - expected: - - { at: observer.egress.interface, as: observer.ingress.interface } - title: Interface - type: group - group: 2 - description: > - Network interface related data. - fields: - - name: state - type: keyword - level: custom - description: > - State of the network interface. diff --git a/ecs/states-inventory-ports/fields/custom/os.yml b/ecs/states-inventory-ports/fields/custom/os.yml deleted file mode 100644 index 952c2d6e93a40..0000000000000 --- a/ecs/states-inventory-ports/fields/custom/os.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: os - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-ports/fields/custom/risk.yml b/ecs/states-inventory-ports/fields/custom/risk.yml deleted file mode 100644 index 1c06213bc6205..0000000000000 --- a/ecs/states-inventory-ports/fields/custom/risk.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: risk - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-ports/fields/mapping-settings.json b/ecs/states-inventory-ports/fields/mapping-settings.json deleted file mode 100644 index 0ad2b48fcc1be..0000000000000 --- a/ecs/states-inventory-ports/fields/mapping-settings.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "dynamic": "strict", - "date_detection": false -} \ No newline at end of file diff --git a/ecs/states-inventory-ports/fields/subset.yml b/ecs/states-inventory-ports/fields/subset.yml deleted file mode 100644 index 422989cd48019..0000000000000 --- a/ecs/states-inventory-ports/fields/subset.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- -name: wazuh-states-inventory-ports -fields: - base: - fields: - tags: [] - "@timestamp": {} - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - destination: - fields: - ip: {} - port: {} - device: - fields: - id: {} - file: - fields: - inode: {} - host: - fields: - network: - fields: - egress: - fields: - queue: {} - ingress: - fields: - queue: {} - network: - fields: - protocol: {} - process: - fields: - name: {} - pid: {} - source: - fields: - ip: {} - port: {} - interface: - fields: - state: {} diff --git a/ecs/states-inventory-ports/fields/template-settings-legacy.json b/ecs/states-inventory-ports/fields/template-settings-legacy.json deleted file mode 100644 index 684b7689d70f3..0000000000000 --- a/ecs/states-inventory-ports/fields/template-settings-legacy.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "index_patterns": ["wazuh-states-inventory-ports*"], - "order": 1, - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "process.name", - "source.ip", - "destination.ip" - ] - } - } -} diff --git a/ecs/states-inventory-ports/fields/template-settings.json b/ecs/states-inventory-ports/fields/template-settings.json deleted file mode 100644 index 9324c929a4bfd..0000000000000 --- a/ecs/states-inventory-ports/fields/template-settings.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "index_patterns": [ - "wazuh-states-inventory-ports*" - ], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "process.name", - "source.ip", - "destination.ip" - ] - } - } - } -} \ No newline at end of file diff --git a/ecs/states-inventory-processes/event-generator/event_generator.py b/ecs/states-inventory-processes/event-generator/event_generator.py deleted file mode 100644 index 0cf1939a37018..0000000000000 --- a/ecs/states-inventory-processes/event-generator/event_generator.py +++ /dev/null @@ -1,223 +0,0 @@ -#!/bin/python3 - -import datetime -import json -import logging -import random -import requests -import urllib3 - -# Constants and Configuration -LOG_FILE = 'generate_data.log' -GENERATED_DATA_FILE = 'generatedData.json' -DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" -# Default values -INDEX_NAME = "wazuh-states-inventory-processes" -USERNAME = "admin" -PASSWORD = "admin" -IP = "127.0.0.1" -PORT = "9200" - -# Configure logging -logging.basicConfig(filename=LOG_FILE, level=logging.INFO) - -# Suppress warnings -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - - -def generate_random_date(): - start_date = datetime.datetime.now() - end_date = start_date - datetime.timedelta(days=10) - random_date = start_date + (end_date - start_date) * random.random() - return random_date.strftime(DATE_FORMAT) - - -def generate_random_agent(): - agent = { - 'id': f'agent{random.randint(0, 99)}', - 'name': f'Agent{random.randint(0, 99)}', - 'type': random.choice(['filebeat', 'windows', 'linux', 'macos']), - 'version': f'v{random.randint(0, 9)}-stable', - 'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'], - 'host': generate_random_host() - } - return agent - - -def generate_random_host(): - host = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'boot': { - 'id': f'bootid{random.randint(0, 9999)}' - }, - 'cpu': { - 'usage': random.uniform(0, 100) - }, - 'disk': { - 'read': { - 'bytes': random.randint(1000, 1000000) - }, - 'write': { - 'bytes': random.randint(1000, 1000000) - } - }, - 'domain': f'domain{random.randint(0, 1000)}', - 'geo': generate_random_geo(), - 'hostname': f'host{random.randint(0, 1000)}', - 'id': f'id{random.randint(0, 1000)}', - 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', - 'name': f'host{random.randint(0, 1000)}', - 'network': { - 'egress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - }, - 'ingress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - } - }, - 'os': { - 'family': random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']), - 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', - 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', - 'name': random.choice(['Linux', 'Windows', 'macOS']), - 'platform': random.choice(['platform1', 'platform2']), - 'type': random.choice(['os_type1', 'os_type2']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - }, - 'pid_ns_ino': f'pid_ns{random.randint(0, 9999)}', - 'risk': { - 'calculated_level': random.choice(['low', 'medium', 'high']), - 'calculated_score': random.uniform(0, 10), - 'calculated_score_norm': random.uniform(0, 1), - 'static_level': random.choice(['low', 'medium', 'high']), - 'static_score': random.uniform(0, 10), - 'static_score_norm': random.uniform(0, 1) - }, - 'type': random.choice(['type1', 'type2']), - 'uptime': random.randint(1000, 1000000) - } - return host - - -def generate_random_geo(): - geo = { - 'city_name': 'CityName', - 'continent_code': 'NA', - 'continent_name': 'North America', - 'country_iso_code': 'US', - 'country_name': 'United States', - 'location': { - 'lat': round(random.uniform(-90, 90), 6), - 'lon': round(random.uniform(-180, 180), 6) - }, - 'name': f'location{random.randint(0, 999)}', - 'postal_code': f'{random.randint(10000, 99999)}', - 'region_iso_code': 'US-CA', - 'region_name': 'California', - 'timezone': 'America/Los_Angeles' - } - return geo - - -def generate_random_process(): - process = { - 'args': f'arg{random.randint(0, 9999)}', - 'command_line': f'command{random.randint(0, 9999)}', - 'group': { - 'id': f'groupid{random.randint(0, 9999)}' - }, - 'name': f'process{random.randint(0, 9999)}', - 'parent': { - 'pid': random.randint(1, 9999) - }, - 'pid': random.randint(1, 9999), - 'real_group': { - 'id': f'realgroupid{random.randint(0, 9999)}' - }, - 'real_user': { - 'id': f'realuserid{random.randint(0, 9999)}' - }, - 'saved_group': { - 'id': f'savedgroupid{random.randint(0, 9999)}' - }, - 'saved_user': { - 'id': f'saveduserid{random.randint(0, 9999)}' - }, - 'start': generate_random_date(), - 'thread': { - 'id': random.randint(1, 9999) - }, - 'user': { - 'id': f'userid{random.randint(0, 9999)}' - }, - 'tty': { - 'char_device': { - 'major': random.randint(0, 5) - } - } - } - return process - - -def generate_random_data(number): - data = [] - for _ in range(number): - event_data = { - '@timestamp': generate_random_date(), - 'agent': generate_random_agent(), - 'process': generate_random_process() - } - data.append(event_data) - return data - -def inject_events(ip, port, index, username, password, data): - url = f'https://{ip}:{port}/{index}/_doc' - session = requests.Session() - session.auth = (username, password) - session.verify = False - headers = {'Content-Type': 'application/json'} - - try: - for event_data in data: - response = session.post(url, json=event_data, headers=headers) - if response.status_code != 201: - logging.error(f'Error: {response.status_code}') - logging.error(response.text) - break - logging.info('Data injection completed successfully.') - except Exception as e: - logging.error(f'Error: {str(e)}') - - -def main(): - try: - number = int(input("How many events do you want to generate? ")) - except ValueError: - logging.error("Invalid input. Please enter a valid number.") - return - - logging.info(f"Generating {number} events...") - data = generate_random_data(number) - - with open(GENERATED_DATA_FILE, 'a') as outfile: - for event_data in data: - json.dump(event_data, outfile) - outfile.write('\n') - - logging.info('Data generation completed.') - - inject = input("Do you want to inject the generated data into your indexer? (y/n) ").strip().lower() - if inject == 'y': - ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP - port = input(f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT - index = input(f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME - username = input(f"Username (default: '{USERNAME}'): ") or USERNAME - password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD - inject_events(ip, port, index, username, password, data) - - -if __name__ == "__main__": - main() diff --git a/ecs/states-inventory-processes/fields/custom/agent.yml b/ecs/states-inventory-processes/fields/custom/agent.yml deleted file mode 100644 index 9feecf4e2da98..0000000000000 --- a/ecs/states-inventory-processes/fields/custom/agent.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: agent - title: Wazuh Agents - short: Wazuh Inc. custom fields. - type: group - group: 2 - fields: - - name: groups - type: keyword - level: custom - description: > - List of groups the agent belong to. diff --git a/ecs/states-inventory-processes/fields/custom/host.yml b/ecs/states-inventory-processes/fields/custom/host.yml deleted file mode 100644 index a0356d13da657..0000000000000 --- a/ecs/states-inventory-processes/fields/custom/host.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: host - reusable: - top_level: true - expected: - - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/states-inventory-processes/fields/custom/os.yml b/ecs/states-inventory-processes/fields/custom/os.yml deleted file mode 100644 index 952c2d6e93a40..0000000000000 --- a/ecs/states-inventory-processes/fields/custom/os.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: os - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-processes/fields/custom/risk.yml b/ecs/states-inventory-processes/fields/custom/risk.yml deleted file mode 100644 index 1c06213bc6205..0000000000000 --- a/ecs/states-inventory-processes/fields/custom/risk.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: risk - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-processes/fields/mapping-settings.json b/ecs/states-inventory-processes/fields/mapping-settings.json deleted file mode 100644 index 0ad2b48fcc1be..0000000000000 --- a/ecs/states-inventory-processes/fields/mapping-settings.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "dynamic": "strict", - "date_detection": false -} \ No newline at end of file diff --git a/ecs/states-inventory-processes/fields/subset.yml b/ecs/states-inventory-processes/fields/subset.yml deleted file mode 100644 index 6a391603f2b6f..0000000000000 --- a/ecs/states-inventory-processes/fields/subset.yml +++ /dev/null @@ -1,52 +0,0 @@ ---- -name: wazuh-states-inventory-processes -fields: - base: - fields: - "@timestamp": {} - tags: [] - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - process: - fields: - pid: {} - name: "" - parent: - fields: - pid: {} - command_line: "" - args: "" - user: - fields: - id: "" - real_user: - fields: - id: "" - saved_user: - fields: - id: "" - group: - fields: - id: "" - real_group: - fields: - id: "" - saved_group: - fields: - id: "" - start: {} - thread: - fields: - id: "" - tty: - fields: - char_device: - fields: - major: "" diff --git a/ecs/states-inventory-processes/fields/template-settings-legacy.json b/ecs/states-inventory-processes/fields/template-settings-legacy.json deleted file mode 100644 index 0c5363d2feeb7..0000000000000 --- a/ecs/states-inventory-processes/fields/template-settings-legacy.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "index_patterns": ["wazuh-states-inventory-processes*"], - "order": 1, - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "process.name", - "process.pid", - "process.command_line" - ] - } - } -} diff --git a/ecs/states-inventory-processes/fields/template-settings.json b/ecs/states-inventory-processes/fields/template-settings.json deleted file mode 100644 index 15c0bc58c58ba..0000000000000 --- a/ecs/states-inventory-processes/fields/template-settings.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "index_patterns": ["wazuh-states-inventory-processes*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "process.name", - "process.pid", - "process.command_line" - ] - } - } - } -} diff --git a/ecs/states-inventory-system/event-generator/event_generator.py b/ecs/states-inventory-system/event-generator/event_generator.py deleted file mode 100644 index aa3eeba2ecb66..0000000000000 --- a/ecs/states-inventory-system/event-generator/event_generator.py +++ /dev/null @@ -1,197 +0,0 @@ -#!/bin/python3 - -import datetime -import json -import logging -import random -import requests -import urllib3 - -# Constants and Configuration -LOG_FILE = 'generate_data.log' -GENERATED_DATA_FILE = 'generatedData.json' -DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" -# Default values -INDEX_NAME = "wazuh-states-inventory-system" -USERNAME = "admin" -PASSWORD = "admin" -IP = "127.0.0.1" -PORT = "9200" - -# Configure logging -logging.basicConfig(filename=LOG_FILE, level=logging.INFO) - -# Suppress warnings -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - - -def generate_random_date(): - start_date = datetime.datetime.now() - end_date = start_date - datetime.timedelta(days=10) - random_date = start_date + (end_date - start_date) * random.random() - return random_date.strftime(DATE_FORMAT) - - -def generate_random_agent(): - agent = { - 'id': f'agent{random.randint(0, 99)}', - 'name': f'Agent{random.randint(0, 99)}', - 'type': random.choice(['filebeat', 'windows', 'linux', 'macos']), - 'version': f'v{random.randint(0, 9)}-stable', - 'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'], - 'host': generate_random_host(False) - } - return agent - - -def generate_random_host(is_root_level=False): - if is_root_level: - host = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'hostname': f'host{random.randint(0, 1000)}', - 'os': { - 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', - 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', - 'name': random.choice(['Linux', 'Windows', 'macOS']), - 'platform': random.choice(['platform1', 'platform2']), - 'type': random.choice(['os_type1', 'os_type2']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - } - } - else: - host = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'boot': { - 'id': f'bootid{random.randint(0, 9999)}' - }, - 'cpu': { - 'usage': random.uniform(0, 100) - }, - 'disk': { - 'read': { - 'bytes': random.randint(1000, 1000000) - }, - 'write': { - 'bytes': random.randint(1000, 1000000) - } - }, - 'domain': f'domain{random.randint(0, 1000)}', - 'geo': generate_random_geo(), - 'hostname': f'host{random.randint(0, 1000)}', - 'id': f'id{random.randint(0, 1000)}', - 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', - 'name': f'host{random.randint(0, 1000)}', - 'network': { - 'egress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - }, - 'ingress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - } - }, - 'os': { - 'family': random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']), - 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', - 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', - 'name': random.choice(['Linux', 'Windows', 'macOS']), - 'platform': random.choice(['platform1', 'platform2']), - 'type': random.choice(['os_type1', 'os_type2']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - }, - 'pid_ns_ino': f'pid_ns{random.randint(0, 9999)}', - 'risk': { - 'calculated_level': random.choice(['low', 'medium', 'high']), - 'calculated_score': random.uniform(0, 10), - 'calculated_score_norm': random.uniform(0, 1), - 'static_level': random.choice(['low', 'medium', 'high']), - 'static_score': random.uniform(0, 10), - 'static_score_norm': random.uniform(0, 1) - }, - 'type': random.choice(['type1', 'type2']), - 'uptime': random.randint(1000, 1000000) - } - return host - - -def generate_random_geo(): - geo = { - 'city_name': 'CityName', - 'continent_code': 'NA', - 'continent_name': 'North America', - 'country_iso_code': 'US', - 'country_name': 'United States', - 'location': { - 'lat': round(random.uniform(-90, 90), 6), - 'lon': round(random.uniform(-180, 180), 6) - }, - 'name': f'location{random.randint(0, 999)}', - 'postal_code': f'{random.randint(10000, 99999)}', - 'region_iso_code': 'US-CA', - 'region_name': 'California', - 'timezone': 'America/Los_Angeles' - } - return geo - - -def generate_random_data(number): - data = [] - for _ in range(number): - event_data = { - '@timestamp': generate_random_date(), - 'agent': generate_random_agent(), - 'host': generate_random_host(True) - } - data.append(event_data) - return data - - -def inject_events(ip, port, index, username, password, data): - url = f'https://{ip}:{port}/{index}/_doc' - session = requests.Session() - session.auth = (username, password) - session.verify = False - headers = {'Content-Type': 'application/json'} - - try: - for event_data in data: - response = session.post(url, json=event_data, headers=headers) - if response.status_code != 201: - logging.error(f'Error: {response.status_code}') - logging.error(response.text) - break - logging.info('Data injection completed successfully.') - except Exception as e: - logging.error(f'Error: {str(e)}') - - -def main(): - try: - number = int(input("How many events do you want to generate? ")) - except ValueError: - logging.error("Invalid input. Please enter a valid number.") - return - - logging.info(f"Generating {number} events...") - data = generate_random_data(number) - - with open(GENERATED_DATA_FILE, 'a') as outfile: - for event_data in data: - json.dump(event_data, outfile) - outfile.write('\n') - - logging.info('Data generation completed.') - - inject = input("Do you want to inject the generated data into your indexer? (y/n) ").strip().lower() - if inject == 'y': - ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP - port = input(f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT - index = input(f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME - username = input(f"Username (default: '{USERNAME}'): ") or USERNAME - password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD - inject_events(ip, port, index, username, password, data) - -if __name__ == "__main__": - main() diff --git a/ecs/states-inventory-system/fields/custom/agent.yml b/ecs/states-inventory-system/fields/custom/agent.yml deleted file mode 100644 index 9feecf4e2da98..0000000000000 --- a/ecs/states-inventory-system/fields/custom/agent.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: agent - title: Wazuh Agents - short: Wazuh Inc. custom fields. - type: group - group: 2 - fields: - - name: groups - type: keyword - level: custom - description: > - List of groups the agent belong to. diff --git a/ecs/states-inventory-system/fields/custom/host.yml b/ecs/states-inventory-system/fields/custom/host.yml deleted file mode 100644 index a0356d13da657..0000000000000 --- a/ecs/states-inventory-system/fields/custom/host.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: host - reusable: - top_level: true - expected: - - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/states-inventory-system/fields/custom/os.yml b/ecs/states-inventory-system/fields/custom/os.yml deleted file mode 100644 index 952c2d6e93a40..0000000000000 --- a/ecs/states-inventory-system/fields/custom/os.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: os - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-system/fields/custom/risk.yml b/ecs/states-inventory-system/fields/custom/risk.yml deleted file mode 100644 index 1c06213bc6205..0000000000000 --- a/ecs/states-inventory-system/fields/custom/risk.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: risk - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-system/fields/mapping-settings.json b/ecs/states-inventory-system/fields/mapping-settings.json deleted file mode 100644 index 0ad2b48fcc1be..0000000000000 --- a/ecs/states-inventory-system/fields/mapping-settings.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "dynamic": "strict", - "date_detection": false -} \ No newline at end of file diff --git a/ecs/states-inventory-system/fields/subset.yml b/ecs/states-inventory-system/fields/subset.yml deleted file mode 100644 index c31262f1c8970..0000000000000 --- a/ecs/states-inventory-system/fields/subset.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -name: wazuh-states-inventory-system -fields: - base: - fields: - tags: [] - "@timestamp": {} - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - host: - fields: "*" diff --git a/ecs/states-inventory-system/fields/template-settings-legacy.json b/ecs/states-inventory-system/fields/template-settings-legacy.json deleted file mode 100644 index 2d12dcaac3ce6..0000000000000 --- a/ecs/states-inventory-system/fields/template-settings-legacy.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "index_patterns": ["wazuh-states-inventory-system*"], - "order": 1, - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "host.name", - "host.os.type", - "host.os.version" - ] - } - } -} diff --git a/ecs/states-inventory-system/fields/template-settings.json b/ecs/states-inventory-system/fields/template-settings.json deleted file mode 100644 index 62249c19e72ea..0000000000000 --- a/ecs/states-inventory-system/fields/template-settings.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "index_patterns": ["wazuh-states-inventory-system*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "host.name", - "host.os.type", - "host.os.version" - ] - } - } - } -} diff --git a/ecs/states-vulnerabilities/event-generator/event_generator.py b/ecs/states-vulnerabilities/event-generator/event_generator.py deleted file mode 100644 index 8170cc443dd6a..0000000000000 --- a/ecs/states-vulnerabilities/event-generator/event_generator.py +++ /dev/null @@ -1,233 +0,0 @@ -#!/bin/python3 - -import datetime -import json -import logging -import random -import requests -import urllib3 - -# Constants and Configuration -LOG_FILE = 'generate_data.log' -GENERATED_DATA_FILE = 'generatedData.json' -DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" -# Default values -INDEX_NAME = "wazuh-states-vulnerabilities" -USERNAME = "admin" -PASSWORD = "admin" -IP = "127.0.0.1" -PORT = "9200" - -# Configure logging -logging.basicConfig(filename=LOG_FILE, level=logging.INFO) - -# Suppress warnings -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - - -def generate_random_date(): - start_date = datetime.datetime.now() - end_date = start_date - datetime.timedelta(days=10) - random_date = start_date + (end_date - start_date) * random.random() - return random_date.strftime(DATE_FORMAT) - - -def generate_random_agent(): - agent = { - 'id': f'agent{random.randint(0, 99)}', - 'name': f'Agent{random.randint(0, 99)}', - 'type': random.choice(['filebeat', 'windows', 'linux', 'macos']), - 'version': f'v{random.randint(0, 9)}-stable', - 'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'], - 'host': generate_random_host() - } - return agent - - -def generate_random_host(): - host = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'boot': { - 'id': f'bootid{random.randint(0, 9999)}' - }, - 'cpu': { - 'usage': random.uniform(0, 100) - }, - 'disk': { - 'read': { - 'bytes': random.randint(1000, 1000000) - }, - 'write': { - 'bytes': random.randint(1000, 1000000) - } - }, - 'domain': f'domain{random.randint(0, 1000)}', - 'geo': generate_random_geo(), - 'hostname': f'host{random.randint(0, 1000)}', - 'id': f'id{random.randint(0, 1000)}', - 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', - 'name': f'host{random.randint(0, 1000)}', - 'network': { - 'egress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - }, - 'ingress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - } - }, - 'os': { - 'family': random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']), - 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', - 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', - 'name': random.choice(['Linux', 'Windows', 'macOS']), - 'platform': random.choice(['platform1', 'platform2']), - 'type': random.choice(['os_type1', 'os_type2']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - }, - 'pid_ns_ino': f'pid_ns{random.randint(0, 9999)}', - 'risk': { - 'calculated_level': random.choice(['low', 'medium', 'high']), - 'calculated_score': random.uniform(0, 10), - 'calculated_score_norm': random.uniform(0, 1), - 'static_level': random.choice(['low', 'medium', 'high']), - 'static_score': random.uniform(0, 10), - 'static_score_norm': random.uniform(0, 1) - }, - 'type': random.choice(['type1', 'type2']), - 'uptime': random.randint(1000, 1000000) - } - return host - - -def generate_random_geo(): - geo = { - 'city_name': 'CityName', - 'continent_code': 'NA', - 'continent_name': 'North America', - 'country_iso_code': 'US', - 'country_name': 'United States', - 'location': { - 'lat': round(random.uniform(-90, 90), 6), - 'lon': round(random.uniform(-180, 180), 6) - }, - 'name': f'location{random.randint(0, 999)}', - 'postal_code': f'{random.randint(10000, 99999)}', - 'region_iso_code': 'US-CA', - 'region_name': 'California', - 'timezone': 'America/Los_Angeles' - } - return geo - - -def generate_random_package(): - package = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'build_version': f'build{random.randint(0, 9999)}', - 'checksum': f'checksum{random.randint(0, 9999)}', - 'description': f'description{random.randint(0, 9999)}', - 'install_scope': random.choice(['system', 'user']), - 'installed': generate_random_date(), - 'license': random.choice(['GPL', 'MIT', 'Apache']), - 'name': f'package{random.randint(0, 9999)}', - 'path': f'/path/to/package{random.randint(0, 9999)}', - 'reference': f'reference{random.randint(0, 9999)}', - 'size': random.randint(1000, 100000), - 'type': random.choice(['deb', 'rpm']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - } - return package - - -def generate_random_vulnerability(): - vulnerability = { - 'category': random.choice(['security', 'compliance']), - 'classification': f'classification{random.randint(0, 9999)}', - 'description': f'description{random.randint(0, 9999)}', - 'detected_at': generate_random_date(), - 'enumeration': f'enumeration{random.randint(0, 9999)}', - 'id': f'id{random.randint(0, 9999)}', - 'published_at': generate_random_date(), - 'reference': f'reference{random.randint(0, 9999)}', - 'report_id': f'report{random.randint(0, 9999)}', - 'scanner': { - 'source': random.choice(['Nessus', 'OpenVAS']), - 'vendor': random.choice(['Tenable', 'Greenbone']), - 'condition': random.choice(['is', 'is not']) - }, - 'score': { - 'base': random.uniform(0, 10), - 'environmental': random.uniform(0, 10), - 'temporal': random.uniform(0, 10), - 'version': random.choice(['v2', 'v3']) - }, - 'severity': random.choice(['low', 'medium', 'high']), - 'under_evaluation': random.choice([True, False]) - } - return vulnerability - - -def generate_random_data(number): - data = [] - for _ in range(number): - event_data = { - 'agent': generate_random_agent(), - 'host': generate_random_host(), - 'package': generate_random_package(), - 'vulnerability': generate_random_vulnerability() - } - data.append(event_data) - return data - - -def inject_events(ip, port, index, username, password, data): - url = f'https://{ip}:{port}/{index}/_doc' - session = requests.Session() - session.auth = (username, password) - session.verify = False - headers = {'Content-Type': 'application/json'} - - try: - for event_data in data: - response = session.post(url, json=event_data, headers=headers) - if response.status_code != 201: - logging.error(f'Error: {response.status_code}') - logging.error(response.text) - break - logging.info('Data injection completed successfully.') - except Exception as e: - logging.error(f'Error: {str(e)}') - - -def main(): - try: - number = int(input("How many events do you want to generate? ")) - except ValueError: - logging.error("Invalid input. Please enter a valid number.") - return - - logging.info(f"Generating {number} events...") - data = generate_random_data(number) - - with open(GENERATED_DATA_FILE, 'a') as outfile: - for event_data in data: - json.dump(event_data, outfile) - outfile.write('\n') - - logging.info('Data generation completed.') - - inject = input( - "Do you want to inject the generated data into your indexer? (y/n) ").strip().lower() - if inject == 'y': - ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP - port = input(f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT - index = input(f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME - username = input(f"Username (default: '{USERNAME}'): ") or USERNAME - password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD - inject_events(ip, port, index, username, password, data) - - -if __name__ == "__main__": - main() diff --git a/ecs/states-vulnerabilities/fields/custom/agent.yml b/ecs/states-vulnerabilities/fields/custom/agent.yml deleted file mode 100644 index 9feecf4e2da98..0000000000000 --- a/ecs/states-vulnerabilities/fields/custom/agent.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: agent - title: Wazuh Agents - short: Wazuh Inc. custom fields. - type: group - group: 2 - fields: - - name: groups - type: keyword - level: custom - description: > - List of groups the agent belong to. diff --git a/ecs/states-vulnerabilities/fields/custom/host.yml b/ecs/states-vulnerabilities/fields/custom/host.yml deleted file mode 100644 index a0356d13da657..0000000000000 --- a/ecs/states-vulnerabilities/fields/custom/host.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: host - reusable: - top_level: true - expected: - - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/states-vulnerabilities/fields/custom/os.yml b/ecs/states-vulnerabilities/fields/custom/os.yml deleted file mode 100644 index 952c2d6e93a40..0000000000000 --- a/ecs/states-vulnerabilities/fields/custom/os.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: os - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-vulnerabilities/fields/custom/package.yml b/ecs/states-vulnerabilities/fields/custom/package.yml deleted file mode 100644 index 40d04c580f521..0000000000000 --- a/ecs/states-vulnerabilities/fields/custom/package.yml +++ /dev/null @@ -1,15 +0,0 @@ -- name: package - title: Package - group: 2 - short: These fields contain information about an installed software package. - description: > - These fields contain information about an installed software package. - It contains general information about a package, such as name, version or size. - It also contains installation details, such as time or location. - type: group - fields: - - name: size - type: unsigned_long - level: custom - description: > - Package size in bytes. diff --git a/ecs/states-vulnerabilities/fields/custom/risk.yml b/ecs/states-vulnerabilities/fields/custom/risk.yml deleted file mode 100644 index 1c06213bc6205..0000000000000 --- a/ecs/states-vulnerabilities/fields/custom/risk.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: risk - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-vulnerabilities/fields/custom/vulnerability.yml b/ecs/states-vulnerabilities/fields/custom/vulnerability.yml deleted file mode 100644 index d6ba31145b2a6..0000000000000 --- a/ecs/states-vulnerabilities/fields/custom/vulnerability.yml +++ /dev/null @@ -1,34 +0,0 @@ -- name: vulnerability - title: Vulnerability - group: 2 - short: Fields to describe the vulnerability relevant to an event. - description: > - The vulnerability fields describe information about a vulnerability that is - relevant to an event. - type: group - fields: - - name: detected_at - type: date - level: custom - description: > - Vulnerability's detection date. - - name: published_at - type: date - level: custom - description: > - Vulnerability's publication date. - - name: under_evaluation - type: boolean - level: custom - description: > - Indicates if the vulnerability is awaiting analysis by the NVD. - - name: scanner.source - type: keyword - level: custom - description: > - The origin of the decision of the scanner (AKA feed used to detect the vulnerability). - - name: scanner.condition - type: keyword - level: custom - description: > - The condition matched by the package that led the scanner to consider it vulnerable. diff --git a/ecs/states-vulnerabilities/fields/custom/wazuh.yml b/ecs/states-vulnerabilities/fields/custom/wazuh.yml deleted file mode 100644 index cbc1a38f016df..0000000000000 --- a/ecs/states-vulnerabilities/fields/custom/wazuh.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- name: wazuh - title: Wazuh - description: > - Wazuh Inc. custom fields - fields: - - name: cluster.name - type: keyword - level: custom - description: > - Wazuh cluster name. - - name: cluster.node - type: keyword - level: custom - description: > - Wazuh cluster node name. - - name: schema.version - type: keyword - level: custom - description: > - Wazuh schema version. diff --git a/ecs/states-vulnerabilities/fields/mapping-settings.json b/ecs/states-vulnerabilities/fields/mapping-settings.json deleted file mode 100644 index 0ad2b48fcc1be..0000000000000 --- a/ecs/states-vulnerabilities/fields/mapping-settings.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "dynamic": "strict", - "date_detection": false -} \ No newline at end of file diff --git a/ecs/states-vulnerabilities/fields/subset.yml b/ecs/states-vulnerabilities/fields/subset.yml deleted file mode 100644 index d0b44d3a712f1..0000000000000 --- a/ecs/states-vulnerabilities/fields/subset.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -name: wazuh-states-vulnerabilities -fields: - base: - fields: - tags: [] - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - package: - fields: "*" - host: - fields: "*" - vulnerability: - fields: "*" - wazuh: - fields: "*" diff --git a/ecs/states-vulnerabilities/fields/template-settings-legacy.json b/ecs/states-vulnerabilities/fields/template-settings-legacy.json deleted file mode 100644 index 17a7bd4f6c785..0000000000000 --- a/ecs/states-vulnerabilities/fields/template-settings-legacy.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "index_patterns": ["wazuh-states-vulnerabilities*"], - "order": 1, - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "host.os.full", - "host.os.version", - "package.name", - "package.version", - "vulnerability.id", - "vulnerability.description", - "vulnerability.severity", - "wazuh.cluster.name" - ] - } - } -} diff --git a/ecs/states-vulnerabilities/fields/template-settings.json b/ecs/states-vulnerabilities/fields/template-settings.json deleted file mode 100644 index 901003b59b17f..0000000000000 --- a/ecs/states-vulnerabilities/fields/template-settings.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "index_patterns": ["wazuh-states-vulnerabilities*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "host.os.full", - "host.os.version", - "package.name", - "package.version", - "vulnerability.id", - "vulnerability.description", - "vulnerability.severity", - "wazuh.cluster.name" - ] - } - } - } -} diff --git a/integrations/.gitignore b/integrations/.gitignore deleted file mode 100644 index 49aa039cc7e32..0000000000000 --- a/integrations/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -external -docker/certs -docker/config diff --git a/integrations/README.md b/integrations/README.md deleted file mode 100644 index c530fda5dc716..0000000000000 --- a/integrations/README.md +++ /dev/null @@ -1,33 +0,0 @@ -## Wazuh indexer integrations - -This folder contains integrations with third-party XDR, SIEM and cybersecurity software. -The goal is to transport Wazuh's analysis to the platform that suits your needs. - -### Amazon Security Lake - -Amazon Security Lake automatically centralizes security data from AWS environments, SaaS providers, -on premises, and cloud sources into a purpose-built data lake stored in your account. With Security Lake, -you can get a more complete understanding of your security data across your entire organization. You can -also improve the protection of your workloads, applications, and data. Security Lake has adopted the -Open Cybersecurity Schema Framework (OCSF), an open standard. With OCSF support, the service normalizes -and combines security data from AWS and a broad range of enterprise security data sources. - -Refer to these documents for more information about this integration: - -- [User Guide](./amazon-security-lake/README.md). -- [Developer Guide](./amazon-security-lake/CONTRIBUTING.md). - -### Other integrations - -We host development environments to support the following integrations: - -- [Splunk](./splunk/README.md). -- [Elasticsearch](./elastic/README.md). -- [OpenSearch](./opensearch/README.md). - -**Compatibility matrix** - -| | Wazuh | Logstash | OpenSearch | Elastic | Splunk | -| -------------- | ------ | -------- | ---------- | ------- | ------ | -| v1.0 | 4.8.1 | 8.9.0 | 2.14.0 | 8.14.3 | 9.1.4 | -| Latest version | 4.10.1 | 8.9.0 | 2.18.0 | 8.17.1 | 9.4.0 | diff --git a/integrations/amazon-security-lake/.dockerignore b/integrations/amazon-security-lake/.dockerignore deleted file mode 100644 index 891ff7a135014..0000000000000 --- a/integrations/amazon-security-lake/.dockerignore +++ /dev/null @@ -1,180 +0,0 @@ -wazuh-event.ocsf.json -*.parquet -Dockerfile - -# Created by https://www.toptal.com/developers/gitignore/api/python -# Edit at https://www.toptal.com/developers/gitignore?templates=python - -### Python ### -# Byte-compiled / optimized / DLL files -__pycache__/ -*.py[cod] -*$py.class - -# C extensions -*.so - -# Distribution / packaging -.Python -build/ -develop-eggs/ -dist/ -downloads/ -eggs/ -.eggs/ -lib/ -lib64/ -parts/ -sdist/ -var/ -wheels/ -share/python-wheels/ -*.egg-info/ -.installed.cfg -*.egg -MANIFEST - -# PyInstaller -# Usually these files are written by a python script from a template -# before PyInstaller builds the exe, so as to inject date/other infos into it. -*.manifest -*.spec - -# Installer logs -pip-log.txt -pip-delete-this-directory.txt - -# Unit test / coverage reports -htmlcov/ -.tox/ -.nox/ -.coverage -.coverage.* -.cache -nosetests.xml -coverage.xml -*.cover -*.py,cover -.hypothesis/ -.pytest_cache/ -cover/ - -# Translations -*.mo -*.pot - -# Django stuff: -*.log -local_settings.py -db.sqlite3 -db.sqlite3-journal - -# Flask stuff: -instance/ -.webassets-cache - -# Scrapy stuff: -.scrapy - -# Sphinx documentation -docs/_build/ - -# PyBuilder -.pybuilder/ -target/ - -# Jupyter Notebook -.ipynb_checkpoints - -# IPython -profile_default/ -ipython_config.py - -# pyenv -# For a library or package, you might want to ignore these files since the code is -# intended to run in multiple environments; otherwise, check them in: -# .python-version - -# pipenv -# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. -# However, in case of collaboration, if having platform-specific dependencies or dependencies -# having no cross-platform support, pipenv may install dependencies that don't work, or not -# install all needed dependencies. -#Pipfile.lock - -# poetry -# Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. -# This is especially recommended for binary packages to ensure reproducibility, and is more -# commonly ignored for libraries. -# https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control -#poetry.lock - -# pdm -# Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. -#pdm.lock -# pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it -# in version control. -# https://pdm.fming.dev/#use-with-ide -.pdm.toml - -# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm -__pypackages__/ - -# Celery stuff -celerybeat-schedule -celerybeat.pid - -# SageMath parsed files -*.sage.py - -# Environments -.env -.venv -env/ -venv/ -ENV/ -env.bak/ -venv.bak/ - -# Spyder project settings -.spyderproject -.spyproject - -# Rope project settings -.ropeproject - -# mkdocs documentation -/site - -# mypy -.mypy_cache/ -.dmypy.json -dmypy.json - -# Pyre type checker -.pyre/ - -# pytype static type analyzer -.pytype/ - -# Cython debug symbols -cython_debug/ - -# PyCharm -# JetBrains specific template is maintained in a separate JetBrains.gitignore that can -# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore -# and can be added to the global gitignore or merged into this file. For a more nuclear -# option (not recommended) you can uncomment the following to ignore the entire idea folder. -#.idea/ - -### Python Patch ### -# Poetry local configuration file - https://python-poetry.org/docs/configuration/#local-configuration -poetry.toml - -# ruff -.ruff_cache/ - -# LSP config files -pyrightconfig.json - -# End of https://www.toptal.com/developers/gitignore/api/python \ No newline at end of file diff --git a/integrations/amazon-security-lake/.gitignore b/integrations/amazon-security-lake/.gitignore deleted file mode 100644 index 0740f723d0c79..0000000000000 --- a/integrations/amazon-security-lake/.gitignore +++ /dev/null @@ -1,179 +0,0 @@ -wazuh-event.ocsf.json -*.parquet - -# Created by https://www.toptal.com/developers/gitignore/api/python -# Edit at https://www.toptal.com/developers/gitignore?templates=python - -### Python ### -# Byte-compiled / optimized / DLL files -__pycache__/ -*.py[cod] -*$py.class - -# C extensions -*.so - -# Distribution / packaging -.Python -build/ -develop-eggs/ -dist/ -downloads/ -eggs/ -.eggs/ -lib/ -lib64/ -parts/ -sdist/ -var/ -wheels/ -share/python-wheels/ -*.egg-info/ -.installed.cfg -*.egg -MANIFEST - -# PyInstaller -# Usually these files are written by a python script from a template -# before PyInstaller builds the exe, so as to inject date/other infos into it. -*.manifest -*.spec - -# Installer logs -pip-log.txt -pip-delete-this-directory.txt - -# Unit test / coverage reports -htmlcov/ -.tox/ -.nox/ -.coverage -.coverage.* -.cache -nosetests.xml -coverage.xml -*.cover -*.py,cover -.hypothesis/ -.pytest_cache/ -cover/ - -# Translations -*.mo -*.pot - -# Django stuff: -*.log -local_settings.py -db.sqlite3 -db.sqlite3-journal - -# Flask stuff: -instance/ -.webassets-cache - -# Scrapy stuff: -.scrapy - -# Sphinx documentation -docs/_build/ - -# PyBuilder -.pybuilder/ -target/ - -# Jupyter Notebook -.ipynb_checkpoints - -# IPython -profile_default/ -ipython_config.py - -# pyenv -# For a library or package, you might want to ignore these files since the code is -# intended to run in multiple environments; otherwise, check them in: -# .python-version - -# pipenv -# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. -# However, in case of collaboration, if having platform-specific dependencies or dependencies -# having no cross-platform support, pipenv may install dependencies that don't work, or not -# install all needed dependencies. -#Pipfile.lock - -# poetry -# Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. -# This is especially recommended for binary packages to ensure reproducibility, and is more -# commonly ignored for libraries. -# https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control -#poetry.lock - -# pdm -# Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. -#pdm.lock -# pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it -# in version control. -# https://pdm.fming.dev/#use-with-ide -.pdm.toml - -# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm -__pypackages__/ - -# Celery stuff -celerybeat-schedule -celerybeat.pid - -# SageMath parsed files -*.sage.py - -# Environments -.env -.venv -env/ -venv/ -ENV/ -env.bak/ -venv.bak/ - -# Spyder project settings -.spyderproject -.spyproject - -# Rope project settings -.ropeproject - -# mkdocs documentation -/site - -# mypy -.mypy_cache/ -.dmypy.json -dmypy.json - -# Pyre type checker -.pyre/ - -# pytype static type analyzer -.pytype/ - -# Cython debug symbols -cython_debug/ - -# PyCharm -# JetBrains specific template is maintained in a separate JetBrains.gitignore that can -# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore -# and can be added to the global gitignore or merged into this file. For a more nuclear -# option (not recommended) you can uncomment the following to ignore the entire idea folder. -#.idea/ - -### Python Patch ### -# Poetry local configuration file - https://python-poetry.org/docs/configuration/#local-configuration -poetry.toml - -# ruff -.ruff_cache/ - -# LSP config files -pyrightconfig.json - -# End of https://www.toptal.com/developers/gitignore/api/python \ No newline at end of file diff --git a/integrations/amazon-security-lake/CONTRIBUTING.md b/integrations/amazon-security-lake/CONTRIBUTING.md deleted file mode 100644 index e819fac2f6c7e..0000000000000 --- a/integrations/amazon-security-lake/CONTRIBUTING.md +++ /dev/null @@ -1,61 +0,0 @@ -# Wazuh to Amazon Security Lake Integration Development Guide - -## Deployment guide on Docker - -A demo of the integration can be started using the content of this folder and Docker. Open a terminal in the `wazuh-indexer/integrations` folder and start the environment. - -```console -docker compose -f ./docker/compose.amazon-security-lake.yml up -d -``` - -This Docker Compose project will bring up these services: - -- a _wazuh-indexer_ node -- a _wazuh-dashboard_ node -- a _logstash_ node -- our [events generator](../tools/events-generator/README.md) -- an AWS Lambda Python container. - -| Service | Address | Credentials | -| ------------- | ------------------------ | --------------- | -| Wazuh Indexer | https://localhost:9200 | admin:admin | -| Dashboards | https://localhost:5601 | admin:admin | -| S3 Ninja | http://localhost:9444/ui | | - -On the one hand, the event generator will push events constantly to the indexer, to the `wazuh-alerts-4.x-sample` index by default (refer to the [events generator](../tools/events-generator/README.md) documentation for customization options). On the other hand, Logstash will query for new data and deliver it to output configured in the pipeline `indexer-to-s3`. This pipeline delivers the data to an S3 bucket, from which the data is processed using a Lambda function, to finally be sent to the Amazon Security Lake bucket in Parquet format. - -The pipeline starts automatically, but if you need to start it manually, attach a terminal to the Logstash container and start the integration using the command below: - -```console -/usr/share/logstash/bin/logstash -f /usr/share/logstash/pipeline/indexer-to-s3.conf -``` - -After 5 minutes, the first batch of data will show up in http://localhost:9444/ui/wazuh-aws-security-lake-raw. You'll need to invoke the Lambda function manually, selecting the log file to process. - -```bash -bash amazon-security-lake/invoke-lambda.sh -``` - -Processed data will be uploaded to http://localhost:9444/ui/wazuh-aws-security-lake-parquet. Click on any file to download it, and check it's content using `parquet-tools`. Just make sure of installing the virtual environment first, through [requirements.txt](./requirements.txt). - -```bash -parquet-tools show -``` - -If the `S3_BUCKET_OCSF` variable is set in the container running the AWS Lambda function, intermediate data in OCSF and JSON format will be written to a dedicated bucket. This is enabled by default, writing to the `wazuh-aws-security-lake-ocsf` bucket. Bucket names and additional environment variables can be configured editing the [compose.amazon-security-lake.yml](../docker/compose.amazon-security-lake.yml) file. - -For development or debugging purposes, you may want to enable hot-reload, test or debug on these files, by using the `--config.reload.automatic`, `--config.test_and_exit` or `--debug` flags, respectively. - -For production usage, follow the instructions in our documentation page about this matter. -See [README.md](README.md). The instructions on that section have been based on the following AWS tutorials and documentation. - -- [Tutorial: Using an Amazon S3 trigger to create thumbnail images](https://docs.aws.amazon.com/lambda/latest/dg/with-s3-tutorial.html) -- [Tutorial: Using an Amazon S3 trigger to invoke a Lambda function](https://docs.aws.amazon.com/lambda/latest/dg/with-s3-example.html) -- [Working with .zip file archives for Python Lambda functions](https://docs.aws.amazon.com/lambda/latest/dg/python-package.html) -- [Best practices for working with AWS Lambda functions](https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html) - -## Makefile - -**Docker is required**. - -The [Makefile](./Makefile) in this folder automates the generation of a zip deployment package containing the source code and the required dependencies for the AWS Lambda function. Simply run `make` and it will generate the `wazuh_to_amazon_security_lake.zip` file. The main target runs a Docker container to install the Python3 dependencies locally, and zips the source code and the dependencies together. diff --git a/integrations/amazon-security-lake/Dockerfile b/integrations/amazon-security-lake/Dockerfile deleted file mode 100644 index 2a5420e4bcfef..0000000000000 --- a/integrations/amazon-security-lake/Dockerfile +++ /dev/null @@ -1,17 +0,0 @@ -# docker build --platform linux/amd64 --no-cache -f aws-lambda.dockerfile -t docker-image:test . -# docker run --platform linux/amd64 -p 9000:8080 docker-image:test - -# FROM public.ecr.aws/lambda/python:3.9 -FROM amazon/aws-lambda-python:3.12 - -# Copy requirements.txt -COPY requirements.aws.txt ${LAMBDA_TASK_ROOT} - -# Install the specified packages -RUN pip install -r requirements.aws.txt - -# Copy function code -COPY src ${LAMBDA_TASK_ROOT} - -# Set the CMD to your handler (could also be done as a parameter override outside of the Dockerfile) -CMD [ "lambda_function.lambda_handler" ] diff --git a/integrations/amazon-security-lake/Makefile b/integrations/amazon-security-lake/Makefile deleted file mode 100644 index d93bcbb400e74..0000000000000 --- a/integrations/amazon-security-lake/Makefile +++ /dev/null @@ -1,30 +0,0 @@ - -ZIP_NAME = wazuh_to_amazon_security_lake -TARGET = package -SRC = src - -# Main target -.ONESHELL: -$(ZIP_NAME).zip: $(TARGET) $(SRC)/lambda_function.py $(SRC)/wazuh_ocsf_converter.py - @cd $(TARGET) - @zip -r ../$(ZIP_NAME).zip . - @cd ../$(SRC) - @zip ../$@ lambda_function.py wazuh_ocsf_converter.py - @zip ../$@ models -r - -$(TARGET): - docker run -v `pwd`:/src -w /src \ - python:3.12 \ - pip install \ - --platform manylinux2014_x86_64 \ - --target=$(TARGET) \ - --implementation cp \ - --python-version 3.12 \ - --only-binary=:all: \ - -r requirements.aws.txt - -clean: - @rm -rf $(TARGET) - docker run -v `pwd`:/src -w /src \ - python:3.12 \ - py3clean . \ No newline at end of file diff --git a/integrations/amazon-security-lake/README.md b/integrations/amazon-security-lake/README.md deleted file mode 100644 index 989bbbafc868b..0000000000000 --- a/integrations/amazon-security-lake/README.md +++ /dev/null @@ -1,292 +0,0 @@ -# Wazuh to Amazon Security Lake Integration Guide - -## Table of Contents - -- [Wazuh to Amazon Security Lake Integration Guide](#wazuh-to-amazon-security-lake-integration-guide) - - [Table of Contents](#table-of-contents) - - [Introduction](#introduction) - - [Amazon Security Lake](#amazon-security-lake) - - [Open Cybersecurity Schema Framework](#open-cybersecurity-schema-framework) - - [Wazuh Security Events](#wazuh-security-events) - - [Wazuh Security Events to Amazon Security Lake](#wazuh-security-events-to-amazon-security-lake) - - [Prerequisites](#prerequisites) - - [Integration guide](#integration-guide) - - [Configure Amazon Security Lake](#configure-amazon-security-lake) - - [Create a custom source for Wazuh](#create-a-custom-source-for-wazuh) - - [Create an S3 bucket to store events](#create-an-s3-bucket-to-store-events) - - [Create an AWS Lambda function](#create-an-aws-lambda-function) - - [Validation](#validation) - - [Install and configure Logstash](#install-and-configure-logstash) - - [Configure the Logstash pipeline](#configure-the-logstash-pipeline) - - [Running Logstash](#running-logstash) - - [OCSF Mapping](#ocsf-mapping) - - [Metadata](#metadata) - - [Security events](#security-events) - - [Troubleshooting](#troubleshooting) - - [Support](#support) - -## Introduction - -### Amazon Security Lake - -Amazon Security Lake automatically centralizes security data from AWS environments, SaaS providers, on premises, and cloud sources into a purpose-built data lake stored in your account. With Security Lake, you can get a more complete understanding of your security data across your entire organization. You can also improve the protection of your workloads, applications, and data. Security Lake has adopted the Open Cybersecurity Schema Framework (OCSF), an open standard. With OCSF support, the service normalizes and combines security data from AWS and a broad range of enterprise security data sources. - -### Open Cybersecurity Schema Framework - -The Open Cybersecurity Schema Framework is an open-source project, delivering an extensible framework for developing schemas, along with a vendor-agnostic core security schema. Vendors and other data producers can adopt and extend the schema for their specific domains. Data engineers can map differing schemas to help security teams simplify data ingestion and normalization, so that data scientists and analysts can work with a common language for threat detection and investigation. The goal is to provide an open standard, adopted in any environment, application, or solution, while complementing existing security standards and processes. - -### Wazuh Security Events - -Wazuh uses rules to monitor the events and logs in your network to detect security threats. When the events and logs meet the test criteria that is defined in the rules, an alert is created to show that a security attack or policy breach is suspected. - -**References**: - -- https://documentation.wazuh.com/current/user-manual/ruleset/getting-started.html#github-repository -- https://github.com/wazuh/wazuh/tree/main/ruleset/rules -- https://github.com/wazuh/wazuh/blob/main/extensions/elasticsearch/7.x/wazuh-template.json - -### Wazuh Security Events to Amazon Security Lake - -Wazuh Security Events can be converted to OCSF events and Parquet format, required by Amazon Security Lake, by using an AWS Lambda Python function, a Logstash instance and an AWS S3 bucket. - -A properly configured Logstash instance can send the Wazuh Security events to an AWS S3 bucket, automatically invoking the AWS Lambda function that will transform and send the events to the Amazon Security lake dedicated S3 bucket. - -The diagram below illustrates the process of converting Wazuh Security Events to OCSF events and to Parquet format for Amazon Security Lake: - -![Overview diagram of the Wazuh integration with Amazon Security Lake](./images/asl-overview.jpeg) - -## Prerequisites - -1. Amazon Security Lake is enabled. -2. At least one up and running `wazuh-indexer` instance with populated `wazuh-alerts-4.x-*` indices. -3. A Logstash instance. -4. An S3 bucket to store raw events. -5. An AWS Lambda function, using the Python 3.12 runtime. -6. (Optional) An S3 bucket to store OCSF events, mapped from raw events. - -## Integration guide - -### Configure Amazon Security Lake - -Enable Amazon Security Lake as per the [official instructions](https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html). - -#### Create a custom source for Wazuh - -Follow the [official documentation](https://docs.aws.amazon.com/security-lake/latest/userguide/custom-sources.html) to register Wazuh as a custom source. - -To create the custom source: - -1. From the Amazon Security Lake console, click on _Custom Sources_. -2. Click on the _Create custom source_ button. -3. Enter "Wazuh" as the _Data source name_. -4. Select "Security Finding" as the _OCSF Event class_. -5. For _AWS account with permission to write data_, enter the AWS account ID and External ID of the custom source that will write logs and events to the data lake. -6. For _Service Access_, create and use a new service role or use an existing service role that gives Security Lake permission to invoke AWS Glue. - ![*Custom source* creation form](./images/asl-custom-source-form.jpeg) -7. Choose _Create_. Upon creation, Amazon Security Lake automatically creates an AWS Service Role with permissions to push files into the Security Lake bucket, under the proper prefix named after the custom source name. An AWS Glue Crawler is also created to populate the AWS Glue Data Catalog automatically. - ![*Custom source* after creation](./images/asl-custom-source.jpeg) -8. Finally, collect the S3 bucket details, as these will be needed in the next step. Make sure you have the following information: - - The Amazon Security Lake S3 region. - - The S3 bucket name (e.g, `aws-security-data-lake-us-east-1-AAABBBCCCDDD`). - -### Create an S3 bucket to store events - -Follow the [official documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html) to create an S3 bucket within your organization. Use a descriptive name, for example: `wazuh-aws-security-lake-raw`. - -### Create an AWS Lambda function - -Follow the [official documentation](https://docs.aws.amazon.com/lambda/latest/dg/getting-started.html) to create an AWS Lambda: - -- Select Python 3.12 as the runtime. -- Configure the runtime to have 512 MB of memory and 30 seconds timeout. -- Configure a trigger so every object with `.txt` extension uploaded to the S3 bucket created previously invokes the Lambda. - ![AWS Lambda trigger](./images/asl-lambda-trigger.jpeg) -- Use the [Makefile](./Makefile) to generate the zip package `wazuh_to_amazon_security_lake.zip`, and upload it to the S3 bucket created previously as per [these instructions](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-package.html#gettingstarted-package-zip). See [CONTRIBUTING](./CONTRIBUTING.md) for details about the Makefile. -- Configure the Lambda with the at least the required _Environment Variables_ below: - - | Environment variable | Required | Value | - | -------------------- | -------- | -------------------------------------------------------------------------------------------------- | - | AWS_BUCKET | True | The name of the Amazon S3 bucket in which Security Lake stores your custom source data | - | SOURCE_LOCATION | True | The _Data source name_ of the _Custom Source_ | - | ACCOUNT_ID | True | Enter the ID that you specified when creating your Amazon Security Lake custom source | - | REGION | True | AWS Region to which the data is written | - | S3_BUCKET_OCSF | False | S3 bucket to which the mapped events are written | - | OCSF_CLASS | False | The OCSF class to map the events into. Can be "SECURITY_FINDING" (default) or "DETECTION_FINDING". | - -### Validation - -To validate that the Lambda function works as it should, add the sample events below to the `sample.txt` file and upload it to the S3 bucket. - -``` -{"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"timestamp":"2024-04-22T14:20:46.976+0000","rule":{"mail":false,"gdpr":["IV_30.1.g"],"groups":["audit","audit_command"],"level":3,"firedtimes":1,"id":"80791","description":"Audit: Command: /usr/sbin/crond"},"location":"","agent":{"id":"004","ip":"47.204.15.21","name":"Ubuntu"},"data":{"audit":{"type":"NORMAL","file":{"name":"/etc/sample/file"},"success":"yes","command":"cron","exe":"/usr/sbin/crond","cwd":"/home/wazuh"}},"predecoder":{},"manager":{"name":"wazuh-manager"},"id":"1580123327.49031","decoder":{},"@version":"1","@timestamp":"2024-04-22T14:20:46.976Z"} -{"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"timestamp":"2024-04-22T14:22:03.034+0000","rule":{"mail":false,"gdpr":["IV_30.1.g"],"groups":["audit","audit_command"],"level":3,"firedtimes":1,"id":"80790","description":"Audit: Command: /usr/sbin/bash"},"location":"","agent":{"id":"007","ip":"24.273.97.14","name":"Debian"},"data":{"audit":{"type":"PATH","file":{"name":"/bin/bash"},"success":"yes","command":"bash","exe":"/usr/sbin/bash","cwd":"/home/wazuh"}},"predecoder":{},"manager":{"name":"wazuh-manager"},"id":"1580123327.49031","decoder":{},"@version":"1","@timestamp":"2024-04-22T14:22:03.034Z"} -{"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"timestamp":"2024-04-22T14:22:08.087+0000","rule":{"id":"1740","mail":false,"description":"Sample alert 1","groups":["ciscat"],"level":9},"location":"","agent":{"id":"006","ip":"207.45.34.78","name":"Windows"},"data":{"cis":{"rule_title":"CIS-CAT 5","timestamp":"2024-04-22T14:22:08.087+0000","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","result":"notchecked","pass":52,"fail":0,"group":"Access, Authentication and Authorization","unknown":61,"score":79,"notchecked":1,"@timestamp":"2024-04-22T14:22:08.087+0000"}},"predecoder":{},"manager":{"name":"wazuh-manager"},"id":"1580123327.49031","decoder":{},"@version":"1","@timestamp":"2024-04-22T14:22:08.087Z"} -``` - -A successful execution of the Lambda function will map these events into the OCSF Security Finding Class and write them to the Amazon Security Lake S3 bucket in Paquet format, properly partitioned based on the Custom Source name, Account ID, AWS Region and date, as described in the [official documentation](https://docs.aws.amazon.com/security-lake/latest/userguide/custom-sources.html#custom-sources-best-practices). - -### Install and configure Logstash - -Install Logstash on a dedicated server or on the server hosting the `wazuh-indexer`. Logstash forwards the data from the `wazuh-indexer` to the [AWS S3 bucket created previously](#create-an-s3-bucket-to-store-events). - -1. Follow the [official documentation](https://www.elastic.co/guide/en/logstash/current/installing-logstash.html) to install Logstash. -2. Install the [logstash-input-opensearch](https://github.com/opensearch-project/logstash-input-opensearch) plugin and the [logstash-output-s3](https://www.elastic.co/guide/en/logstash/8.13/plugins-outputs-s3.html) plugin (this one is installed by default in most cases). - - ```console - sudo /usr/share/logstash/bin/logstash-plugin install logstash-input-opensearch - ``` - -3. Copy the `wazuh-indexer` root certificate on the Logstash server, to any folder of your choice (e.g, `/usr/share/logstash/root-ca.pem`). -4. Give the `logstash` user the required permissions to read the certificate. - - ```console - sudo chmod -R 755 /root-ca.pem - ``` - -#### Configure the Logstash pipeline - -A [Logstash pipeline](https://www.elastic.co/guide/en/logstash/current/configuration.html) allows Logstash to use plugins to read the data from the `wazuh-indexer`and send them to an AWS S3 bucket. - -The Logstash pipeline requires access to the following secrets: - -- `wazuh-indexer` credentials: `INDEXER_USERNAME` and `INDEXER_PASSWORD`. -- AWS credentials for the account with permissions to write to the S3 bucket: `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. -- AWS S3 bucket details: `AWS_REGION` and `S3_BUCKET` (bucket name). - -1. Use the [Logstash keystore](https://www.elastic.co/guide/en/logstash/current/keystore.html) to securely store these values. - - -2. Create the configuration file `indexer-to-s3.conf` in the `/etc/logstash/conf.d/` folder: - - ```console - sudo touch /etc/logstash/conf.d/indexer-to-s3.conf - ``` - -3. Add the following configuration to the `indexer-to-s3.conf` file. - - ```console - input { - opensearch { - hosts => [":9200"] - user => "${INDEXER_USERNAME}" - password => "${INDEXER_PASSWORD}" - ssl => true - ca_file => "/root-ca.pem" - index => "wazuh-alerts-4.x-*" - query => '{ - "query": { - "range": { - "@timestamp": { - "gt": "now-5m" - } - } - } - }' - schedule => "*/5 * * * *" - } - } - - output { - stdout { - id => "output.stdout" - codec => json_lines - } - s3 { - id => "output.s3" - access_key_id => "${AWS_ACCESS_KEY_ID}" - secret_access_key => "${AWS_SECRET_ACCESS_KEY}" - region => "${AWS_REGION}" - bucket => "${S3_BUCKET}" - codec => "json_lines" - retry_count => 0 - validate_credentials_on_root_bucket => false - prefix => "%{+YYYY}%{+MM}%{+dd}" - server_side_encryption => true - server_side_encryption_algorithm => "AES256" - additional_settings => { - "force_path_style" => true - } - time_file => 5 - } - } - ``` - -#### Running Logstash - -1. Once you have everything set, run Logstash from the CLI with your configuration: - - ```console - sudo systemctl stop logstash - sudo -E /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/indexer-to-s3.conf --path.settings /etc/logstash --config.test_and_exit - ``` - -2. After confirming that the configuration loads correctly without errors, run Logstash as a service. - - ```console - sudo systemctl enable logstash - sudo systemctl start logstash - ``` - -## OCSF Mapping - -The integration maps Wazuh Security Events to the **OCSF v1.1.0** [Security Finding (2001)](https://schema.ocsf.io/classes/security_finding) Class. -The tables below represent how the Wazuh Security Events are mapped into the OCSF Security Finding Class. - -> **NOTE**: This does not reflect any transformations or evaluations of the data. Some data evaluation and transformation will be necessary for a correct representation in OCSF that matches all requirements. - -### Metadata - -| **OCSF Key** | **OCSF Value Type** | **Value** | -| ---------------------------- | ------------------- | ------------------ | -| category_uid | Integer | 2 | -| category_name | String | "Findings" | -| class_uid | Integer | 2001 | -| class_name | String | "Security Finding" | -| type_uid | Long | 200101 | -| metadata.product.name | String | "Wazuh" | -| metadata.product.vendor_name | String | "Wazuh, Inc." | -| metadata.product.version | String | "4.9.1" | -| metadata.product.lang | String | "en" | -| metadata.log_name | String | "Security events" | -| metadata.log_provider | String | "Wazuh" | - -#### Security events - -| **OCSF Key** | **OCSF Value Type** | **Wazuh Event Value** | -| ---------------------- | ------------------- | -------------------------------------- | -| activity_id | Integer | 1 | -| time | Timestamp | timestamp | -| message | String | rule.description | -| count | Integer | rule.firedtimes | -| finding.uid | String | id | -| finding.title | String | rule.description | -| finding.types | String Array | input.type | -| analytic.category | String | rule.groups | -| analytic.name | String | decoder.name | -| analytic.type | String | "Rule" | -| analytic.type_id | Integer | 1 | -| analytic.uid | String | rule.id | -| risk_score | Integer | rule.level | -| attacks.tactic.name | String | rule.mitre.tactic | -| attacks.technique.name | String | rule.mitre.technique | -| attacks.technique.uid | String | rule.mitre.id | -| attacks.version | String | "v13.1" | -| nist | String Array | rule.nist_800_53 | -| severity_id | Integer | convert(rule.level) | -| status_id | Integer | 99 | -| resources.name | String | agent.name | -| resources.uid | String | agent.id | -| data_sources | String Array | ['_index', 'location', 'manager.name'] | -| raw_data | String | full_log | - -## Troubleshooting - -| **Issue** | **Resolution** | -| --------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| The Wazuh alert data is available in the Amazon Security Lake S3 bucket, but the Glue Crawler fails to parse the data into the Security Lake. | This issue typically occurs when the custom source that is created for the integration is using the wrong event class. Make sure you create the custom source with the Security Finding event class. | - -## Support - -The integration guide is an open source project and not a Wazuh product. As such, it carries no formal support, expressed, or implied. If you encounter any issues while deploying the integration guide, you can create an issue on our GitHub repository for bugs, enhancements, or other requests. - -Amazon Security Lake is an AWS product. As such, any questions or problems you experience with this service should be handled through a support ticket with AWS Support. diff --git a/integrations/amazon-security-lake/images/asl-custom-source-form.jpeg b/integrations/amazon-security-lake/images/asl-custom-source-form.jpeg deleted file mode 100644 index c14d960f7370d..0000000000000 Binary files a/integrations/amazon-security-lake/images/asl-custom-source-form.jpeg and /dev/null differ diff --git a/integrations/amazon-security-lake/images/asl-custom-source.jpeg b/integrations/amazon-security-lake/images/asl-custom-source.jpeg deleted file mode 100644 index 71fb91088ce1e..0000000000000 Binary files a/integrations/amazon-security-lake/images/asl-custom-source.jpeg and /dev/null differ diff --git a/integrations/amazon-security-lake/images/asl-lambda-trigger.jpeg b/integrations/amazon-security-lake/images/asl-lambda-trigger.jpeg deleted file mode 100644 index 8efb04895779b..0000000000000 Binary files a/integrations/amazon-security-lake/images/asl-lambda-trigger.jpeg and /dev/null differ diff --git a/integrations/amazon-security-lake/images/asl-overview.jpeg b/integrations/amazon-security-lake/images/asl-overview.jpeg deleted file mode 100644 index 294cf4024ba49..0000000000000 Binary files a/integrations/amazon-security-lake/images/asl-overview.jpeg and /dev/null differ diff --git a/integrations/amazon-security-lake/invoke-lambda.sh b/integrations/amazon-security-lake/invoke-lambda.sh deleted file mode 100644 index 9ce9b05fbc2f0..0000000000000 --- a/integrations/amazon-security-lake/invoke-lambda.sh +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/bash - -export S3_BUCKET_RAW=wazuh-aws-security-lake-raw - -curl -X POST "http://localhost:9000/2015-03-31/functions/function/invocations" -d '{ - "Records": [ - { - "eventVersion": "2.0", - "eventSource": "aws:s3", - "awsRegion": "us-east-1", - "eventTime": "1970-01-01T00:00:00.000Z", - "eventName": "ObjectCreated:Put", - "userIdentity": { - "principalId": "AIDAJDPLRKLG7UEXAMPLE" - }, - "requestParameters":{ - "sourceIPAddress":"127.0.0.1" - }, - "responseElements":{ - "x-amz-request-id":"C3D13FE58DE4C810", - "x-amz-id-2":"FMyUVURIY8/IgAtTv8xRjskZQpcIZ9KG4V5Wp6S7S/JRWeUWerMUE5JgHvANOjpD" - }, - "s3": { - "s3SchemaVersion": "1.0", - "configurationId": "testConfigRule", - "bucket": { - "name": "'"${S3_BUCKET_RAW}"'", - "ownerIdentity": { - "principalId":"A3NL1KOZZKExample" - }, - "arn": "'"arn:aws:s3:::${S3_BUCKET_RAW}"'" - }, - "object": { - "key": "'"${1}"'", - "size": 1024, - "eTag":"d41d8cd98f00b204e9800998ecf8427e", - "versionId":"096fKKXTRTtl3on89fVO.nfljtsv6qko" - } - } - } - ] -}' diff --git a/integrations/amazon-security-lake/logstash/pipeline/indexer-to-s3.conf b/integrations/amazon-security-lake/logstash/pipeline/indexer-to-s3.conf deleted file mode 100644 index f1acee7b5c45c..0000000000000 --- a/integrations/amazon-security-lake/logstash/pipeline/indexer-to-s3.conf +++ /dev/null @@ -1,53 +0,0 @@ -input { - opensearch { - hosts => ["wazuh.indexer:9200"] - user => "${INDEXER_USERNAME}" - password => "${INDEXER_PASSWORD}" - ssl => true - ca_file => "/usr/share/logstash/root-ca.pem" - index => "wazuh-alerts-4.x-*" - query => '{ - "query": { - "range": { - "@timestamp": { - "gt": "now-5m" - } - } - } - }' - schedule => "*/5 * * * *" - } -} - -output { - stdout { - id => "output.stdout" - codec => json_lines - } - s3 { - id => "output.s3" - access_key_id => "${AWS_ACCESS_KEY_ID}" - bucket => "${S3_BUCKET_RAW}" - codec => "json_lines" - encoding => "gzip" - endpoint => "${AWS_ENDPOINT}" - prefix => "%{+YYYY}%{+MM}%{+dd}" - region => "${AWS_REGION}" - retry_count => 0 - secret_access_key => "${AWS_SECRET_ACCESS_KEY}" - server_side_encryption => true - server_side_encryption_algorithm => "AES256" - time_file => 5 - validate_credentials_on_root_bucket => false - additional_settings => { - "force_path_style" => true - } - } - file { - id => "output.file" - path => "/usr/share/logstash/logs/indexer-to-file-%{+YYYY-MM-dd-HH}.log" - file_mode => 0644 - codec => json_lines - flush_interval => 30 - } -} diff --git a/integrations/amazon-security-lake/logstash/setup.sh b/integrations/amazon-security-lake/logstash/setup.sh deleted file mode 100644 index 9527f1fa58362..0000000000000 --- a/integrations/amazon-security-lake/logstash/setup.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/bash - -# This script creates and configures a keystore for Logstash to store -# indexer's credentials. NOTE: works only for dockerized logstash. -# Source: https://www.elastic.co/guide/en/logstash/current/keystore.html - -# Create keystore -/usr/share/logstash/bin/logstash-keystore create --path.settings /etc/logstash -echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_USERNAME --path.settings /etc/logstash -echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_PASSWORD --path.settings /etc/logstash diff --git a/integrations/amazon-security-lake/requirements.aws.txt b/integrations/amazon-security-lake/requirements.aws.txt deleted file mode 100644 index ea911617dede4..0000000000000 --- a/integrations/amazon-security-lake/requirements.aws.txt +++ /dev/null @@ -1,2 +0,0 @@ -pyarrow>=10.0.1 -pydantic>=2.6.1 \ No newline at end of file diff --git a/integrations/amazon-security-lake/requirements.txt b/integrations/amazon-security-lake/requirements.txt deleted file mode 100644 index 7d14ea9fb1b10..0000000000000 --- a/integrations/amazon-security-lake/requirements.txt +++ /dev/null @@ -1,4 +0,0 @@ -pyarrow>=10.0.1 -parquet-tools>=0.2.15 -pydantic>=2.6.1 -boto3==1.34.46 \ No newline at end of file diff --git a/integrations/amazon-security-lake/src/lambda_function.py b/integrations/amazon-security-lake/src/lambda_function.py deleted file mode 100644 index e56caa4bf6426..0000000000000 --- a/integrations/amazon-security-lake/src/lambda_function.py +++ /dev/null @@ -1,185 +0,0 @@ -import logging -import os -import urllib.parse -import json -import gzip -import boto3 -import pyarrow as pa -import pyarrow.parquet as pq -from botocore.exceptions import ClientError -import wazuh_ocsf_converter - -logger = logging.getLogger() -logger.setLevel("INFO") - -# Initialize boto3 client outside the handler -if os.environ.get('IS_DEV'): - s3_client = boto3.client( - service_name='s3', - aws_access_key_id=os.environ.get('AWS_ACCESS_KEY_ID'), - aws_secret_access_key=os.environ.get('AWS_SECRET_ACCESS_KEY'), - region_name=os.environ.get('REGION'), - endpoint_url=os.environ.get('AWS_ENDPOINT'), - ) -else: - s3_client = boto3.client('s3') - - -def get_events(bucket: str, key: str) -> list: - """ - Retrieve events from S3 object. - """ - logger.info(f"Reading {key}.") - try: - response = s3_client.get_object(Bucket=bucket, Key=key) - data = gzip.decompress(response['Body'].read()).decode('utf-8') - return data.splitlines() - except ClientError as e: - logger.error( - f"Failed to read S3 object {key} from bucket {bucket}: {e}") - return [] - - -def write_parquet_file(ocsf_events: list, filename: str) -> None: - """ - Write OCSF events to a Parquet file. - """ - table = pa.Table.from_pylist(ocsf_events) - pq.write_table(table, filename, compression='ZSTD') - - -def upload_to_s3(bucket: str, key: str, filename: str) -> bool: - """ - Upload a file to S3 bucket. - """ - logger.info(f"Uploading data to {bucket}.") - try: - with open(filename, 'rb') as data: - s3_client.put_object(Bucket=bucket, Key=key, Body=data) - return True - except ClientError as e: - logger.error( - f"Failed to upload file {filename} to bucket {bucket}: {e}") - return False - - -def exit_on_error(error_message): - """ - Print error message and exit with non-zero status code. - Args: - error_message (str): Error message to display. - """ - print(f"Error: {error_message}") - exit(1) - - -def check_environment_variables(variables): - """ - Check if required environment variables are set. - Args: - variables (list): List of required environment variable names. - Returns: - bool: True if all required environment variables are set, False otherwise. - """ - missing_variables = [var for var in variables if not os.environ.get(var)] - if missing_variables: - error_message = f"The following environment variables are not set: {', '.join(missing_variables)}" - exit_on_error(error_message) - return False - return True - - -def get_full_key(src_location: str, account_id: str, region: str, key: str, format: str) -> str: - """ - Constructs a full S3 key path for storing a Parquet file based on event metadata. - - Args: - src_location (str): Source location identifier. - account_id (str): AWS account ID associated with the event. - region (str): AWS region where the event occurred. - key (str): Event key containing metadata information. - format (str): File extension. - - Returns: - str: Full S3 key path for storing the Parquet file. - - Example: - If key is '20240417_ls.s3.0055f22e-200e-4259-b865-8ccea05812be.2024-04-17T15.45.part29.txt', - this function will return: - 'ext/src_location/region=region/accountId=account_id/eventDay=20240417/0055f22e200e4259b8658ccea05812be.parquet' - """ - # Extract event day from the key (first 8 characters) - event_day = key[:8] - - # Extract filename (UUID) from the key and remove hyphens - filename_parts = key.split('.') - filename = ''.join(filename_parts[2].split('-')) - - # Construct the full S3 key path for storing the file - key = ( - f'ext/{src_location}/region={region}/accountId={account_id}/eventDay={event_day}/{filename}.{format}' - ) - - return key - - -def lambda_handler(event, context): - - # Define required environment variables - required_variables = ['AWS_BUCKET', 'SOURCE_LOCATION', 'ACCOUNT_ID', 'REGION'] - - # Check if all required environment variables are set - if not check_environment_variables(required_variables): - return - - # Retrieve environment variables - dst_bucket = os.environ['AWS_BUCKET'] - src_location = os.environ['SOURCE_LOCATION'] - account_id = os.environ['ACCOUNT_ID'] - region = os.environ['REGION'] - ocsf_bucket = os.environ.get('S3_BUCKET_OCSF') - ocsf_class = os.environ.get('OCSF_CLASS', 'SECURITY_FINDING') - - # Extract bucket and key from S3 event - src_bucket = event['Records'][0]['s3']['bucket']['name'] - key = urllib.parse.unquote_plus( - event['Records'][0]['s3']['object']['key'], encoding='utf-8') - logger.info(f"Lambda function invoked due to {key}.") - logger.info( - f"Source bucket name is {src_bucket}. Destination bucket is {dst_bucket}.") - - # Read events from source S3 bucket - raw_events = get_events(src_bucket, key) - if not raw_events: - return - - # Transform events to OCSF format - ocsf_events = wazuh_ocsf_converter.transform_events(raw_events, ocsf_class) - - # Upload event in OCSF format - ocsf_upload_success = False - if ocsf_bucket is not None: - tmp_filename = '/tmp/tmp.json' - with open(tmp_filename, "w") as fd: - fd.write(json.dumps(ocsf_events)) - ocsf_key = get_full_key(src_location, account_id, region, key, 'json') - ocsf_upload_success = upload_to_s3(ocsf_bucket, ocsf_key, tmp_filename) - - # Write OCSF events to Parquet file - tmp_filename = '/tmp/tmp.parquet' - write_parquet_file(ocsf_events, tmp_filename) - - # Upload Parquet file to destination S3 bucket - parquet_key = get_full_key(src_location, account_id, region, key, 'parquet') - upload_success = upload_to_s3(dst_bucket, parquet_key, tmp_filename) - - # Clean up temporary file - os.remove(tmp_filename) - - # Prepare response - response = { - 'size': len(raw_events), - 'upload_success': upload_success, - 'ocsf_upload_success': ocsf_upload_success - } - return json.dumps(response) diff --git a/integrations/amazon-security-lake/src/models/__init__.py b/integrations/amazon-security-lake/src/models/__init__.py deleted file mode 100644 index 8dc7d9f3af00b..0000000000000 --- a/integrations/amazon-security-lake/src/models/__init__.py +++ /dev/null @@ -1,2 +0,0 @@ -import models.wazuh -import models.ocsf diff --git a/integrations/amazon-security-lake/src/models/ocsf.py b/integrations/amazon-security-lake/src/models/ocsf.py deleted file mode 100644 index 63ab7fc7102a5..0000000000000 --- a/integrations/amazon-security-lake/src/models/ocsf.py +++ /dev/null @@ -1,104 +0,0 @@ -import pydantic -import typing -import abc - - -class AnalyticInfo(pydantic.BaseModel): - category: str - name: str - type_id: int = 1 - uid: str - - -# Deprecated since v1.1.0. Use AnalyticInfo instead. -class Analytic(pydantic.BaseModel): - category: str - name: str - type: str = "Rule" - type_id: int = 1 - uid: str - - -class TechniqueInfo(pydantic.BaseModel): - name: str - uid: str - - -class AttackInfo(pydantic.BaseModel): - tactic: TechniqueInfo - technique: TechniqueInfo - version: str = "v13.1" - - -class FindingInfo(pydantic.BaseModel): - analytic: AnalyticInfo - attacks: typing.List[AttackInfo] - title: str - types: typing.List[str] - uid: str - - -# Deprecated since v1.1.0. Use FindingInfo instead. -class Finding(pydantic.BaseModel): - title: str - types: typing.List[str] - uid: str - - -class ProductInfo(pydantic.BaseModel): - name: str - lang: str - vendor_name: str - - -class Metadata(pydantic.BaseModel): - log_name: str = "Security events" - log_provider: str = "Wazuh" - product: ProductInfo = ProductInfo( - name="Wazuh", - lang="en", - vendor_name="Wazuh, Inc,." - ) - version: str = "1.1.0" - - -class Resource(pydantic.BaseModel): - name: str - uid: str - - -class FindingABC(pydantic.BaseModel, abc.ABC): - activity_id: int = 1 - category_name: str = "Findings" - category_uid: int = 2 - class_name: str - class_uid: int - count: int - message: str - metadata: Metadata = Metadata() - raw_data: str - resources: typing.List[Resource] - risk_score: int - severity_id: int - status_id: int = 99 - time: int - type_uid: int - unmapped: typing.Dict[str, typing.List[str]] = pydantic.Field() - - -class DetectionFinding(FindingABC): - class_name: str = "Detection Finding" - class_uid: int = 2004 - finding_info: FindingInfo - type_uid: int = 200401 - - -# Deprecated since v1.1.0. Use DetectionFinding instead. -class SecurityFinding(FindingABC): - analytic: Analytic - attacks: typing.List[AttackInfo] - class_name: str = "Security Finding" - class_uid: int = 2001 - finding: Finding - state_id: int = 1 - type_uid: int = 200101 diff --git a/integrations/amazon-security-lake/src/models/wazuh.py b/integrations/amazon-security-lake/src/models/wazuh.py deleted file mode 100644 index f73ed832b9165..0000000000000 --- a/integrations/amazon-security-lake/src/models/wazuh.py +++ /dev/null @@ -1,50 +0,0 @@ -import pydantic -import typing - -# =========== Wazuh event models =========== # -# These are only the fields required for the integration. - - -class Mitre(pydantic.BaseModel): - technique: typing.List[str] = ["N/A"] - id: typing.List[str] = ["N/A"] - tactic: typing.List[str] = ["N/A"] - - -class Rule(pydantic.BaseModel): - firedtimes: int = 0 - description: str = "N/A" - groups: typing.List[str] = [] - id: str = "N/A" - mitre: Mitre = Mitre() - level: int = 0 - nist_800_53: typing.List[str] = [] - - -class Decoder(pydantic.BaseModel): - name: str = "N/A" - - -class Input(pydantic.BaseModel): - type: str = "N/A" - - -class Agent(pydantic.BaseModel): - name: str - id: str - - -class Manager(pydantic.BaseModel): - name: str - - -class Event(pydantic.BaseModel): - rule: Rule = Rule() - decoder: Decoder = Decoder() - input: Input = Input() - id: str = "" - full_log: str = "" - agent: Agent = {} - timestamp: str = "" - location: str = "" - manager: Manager = {} diff --git a/integrations/amazon-security-lake/src/wazuh_ocsf_converter.py b/integrations/amazon-security-lake/src/wazuh_ocsf_converter.py deleted file mode 100644 index 494a3c62a7fa6..0000000000000 --- a/integrations/amazon-security-lake/src/wazuh_ocsf_converter.py +++ /dev/null @@ -1,185 +0,0 @@ -import pydantic -import models -import logging -from datetime import datetime - - -timestamp_pattern = "%Y-%m-%dT%H:%M:%S.%f%z" - - -def normalize(level: int) -> int: - """ - Normalizes rule level into the 0-6 range, required by OCSF. - """ - if level >= 15: # (5) Critical - severity = 5 - elif level >= 11: # (4) High - severity = 4 - elif level >= 8: # (3) Medium - severity = 3 - elif level >= 4: # (2) Low - severity = 2 - elif level >= 0: # (1) Informational - severity = 1 - else: - severity = 0 # (0) Unknown - - return severity - - -def join(iterable, separator=","): - return (separator.join(iterable)) - - -def to_detection_finding(event: models.wazuh.Event) -> models.ocsf.DetectionFinding: - """ - Convert Wazuh security event to OCSF detection finding. - """ - try: - - finding_info = models.ocsf.FindingInfo( - analytic=models.ocsf.AnalyticInfo( - category=", ".join(event.rule.groups), - name=event.decoder.name, - uid=event.rule.id - ), - attacks=[ - models.ocsf.AttackInfo( - tactic=models.ocsf.TechniqueInfo( - name=", ".join(event.rule.mitre.tactic), - uid=", ".join(event.rule.mitre.id) - ), - technique=models.ocsf.TechniqueInfo( - name=", ".join(event.rule.mitre.technique), - uid=", ".join(event.rule.mitre.id) - ) - ) - ], - title=event.rule.description, - types=[event.input.type], - uid=event.id - ) - - resources = [models.ocsf.Resource( - name=event.agent.name, uid=event.agent.id)] - - severity_id = normalize(event.rule.level) - - unmapped = { - "data_sources": [ - event.location, - event.manager.name - ], - "nist": event.rule.nist_800_53 # Array - } - - return models.ocsf.DetectionFinding( - count=event.rule.firedtimes, - message=event.rule.description, - finding_info=finding_info, - raw_data=event.full_log, - resources=resources, - risk_score=event.rule.level, - severity_id=severity_id, - time=to_epoch(event.timestamp), - unmapped=unmapped - ) - except AttributeError as e: - logging.error(f"Error transforming event: {e}") - return {} - - -def to_security_finding(event: models.wazuh.Event) -> models.ocsf.SecurityFinding: - """ - Convert Wazuh security event to OCSF's Security Finding class. - """ - try: - - analytic = models.ocsf.Analytic( - category=", ".join(event.rule.groups), - name=event.decoder.name, - uid=event.rule.id - ) - - attacks = [ - models.ocsf.AttackInfo( - tactic=models.ocsf.TechniqueInfo( - name=", ".join(event.rule.mitre.tactic), - uid=", ".join(event.rule.mitre.id) - ), - technique=models.ocsf.TechniqueInfo( - name=", ".join(event.rule.mitre.technique), - uid=", ".join(event.rule.mitre.id) - ) - ) - ] - - finding = models.ocsf.Finding( - title=event.rule.description, - types=[event.input.type], - uid=event.id - ) - - resources = [models.ocsf.Resource( - name=event.agent.name, uid=event.agent.id)] - - severity_id = normalize(event.rule.level) - - unmapped = { - "data_sources": [ - event.location, - event.manager.name - ], - "nist": event.rule.nist_800_53 # Array - } - - return models.ocsf.SecurityFinding( - analytic=analytic, - attacks=attacks, - count=event.rule.firedtimes, - message=event.rule.description, - finding=finding, - raw_data=event.full_log, - resources=resources, - risk_score=event.rule.level, - severity_id=severity_id, - time=to_epoch(event.timestamp), - unmapped=unmapped - ) - except AttributeError as e: - logging.error(f"Error transforming event: {e}") - return {} - - -def to_epoch(timestamp: str) -> int: - return int(datetime.strptime(timestamp, timestamp_pattern).timestamp()) - - -def from_json(json_line: str) -> models.wazuh.Event: - """ - Parse the JSON string representation of a Wazuh security event into a dictionary (model). - """ - # Needs to a string, bytes or bytearray - try: - return models.wazuh.Event.model_validate_json(json_line) - except pydantic.ValidationError as e: - print(e) - - -def transform_events(events: list, ocsf_class: str) -> list: - """ - Transform a list of Wazuh security events (json string) to OCSF format. - """ - logging.info("Transforming Wazuh security events to OCSF.") - ocsf_events = [] - for event in events: - try: - wazuh_event = from_json(event) - if ocsf_class == 'DETECTION_FINDING': - ocsf_event = to_detection_finding(wazuh_event).model_dump() - else: - ocsf_event = to_security_finding(wazuh_event).model_dump() - ocsf_events.append(ocsf_event) - except Exception as e: - logging.error(f"Error transforming line to OCSF: {e}") - return ocsf_events diff --git a/integrations/docker/.env b/integrations/docker/.env deleted file mode 100644 index 0e43e74546626..0000000000000 --- a/integrations/docker/.env +++ /dev/null @@ -1,44 +0,0 @@ -# Password for the 'elastic' user (at least 6 characters) -ELASTIC_PASSWORD=elastic - -# Password for the 'kibana_system' user (at least 6 characters) -KIBANA_PASSWORD=elastic - -# Set the cluster name -CLUSTER_NAME=elastic - -# Set to 'basic' or 'trial' to automatically start the 30-day trial -LICENSE=basic - -# Port to expose Elasticsearch HTTP API to the host -ES_PORT=9201 - -# Port to expose Kibana to the host -KIBANA_PORT=5602 - -# Increase or decrease based on the available host memory (in bytes) -MEM_LIMIT=1073741824 - -# Wazuh version -WAZUH_VERSION=4.10.1 - -# Wazuh Indexer version (Provisionally using OpenSearch) -WAZUH_INDEXER_VERSION=2.18.0 - -# Wazuh Dashboard version (Provisionally using OpenSearch Dashboards) -WAZUH_DASHBOARD_VERSION=2.18.0 - -# Wazuh certs generator version -WAZUH_CERTS_GENERATOR_VERSION=0.0.1 - -# OpenSearch destination cluster version -OS_VERSION=2.18.0 - -# Logstash version: -LOGSTASH_OSS_VERSION=8.9.0 - -# Splunk version: -SPLUNK_VERSION=9.4.0 - -# Version of Elastic products -STACK_VERSION=8.17.1 diff --git a/integrations/docker/compose.amazon-security-lake.yml b/integrations/docker/compose.amazon-security-lake.yml deleted file mode 100644 index 8c9b610b97c6f..0000000000000 --- a/integrations/docker/compose.amazon-security-lake.yml +++ /dev/null @@ -1,175 +0,0 @@ -name: "amazon-security-lake" - -services: - events-generator: - image: wazuh/indexer-events-generator - build: - context: ../tools/events-generator - container_name: events-generator - depends_on: - wazuh.indexer: - condition: service_healthy - command: bash -c "python run.py -a wazuh.indexer" - - wazuh.indexer: - image: opensearchproject/opensearch:${WAZUH_INDEXER_VERSION} - container_name: wazuh.indexer - depends_on: - wazuh-certs-generator: - condition: service_completed_successfully - hostname: wazuh.indexer - ports: - - 9200:9200 - environment: - - WAZUH_INDEXER_VERSION=${WAZUH_INDEXER_VERSION} - # - cluster.name=opensearch-cluster - - node.name=wazuh.indexer - - discovery.type=single-node - # - cluster.initial_cluster_manager_nodes=opensearch-node - - bootstrap.memory_lock=true - - "DISABLE_INSTALL_DEMO_CONFIG=true" - - plugins.security.ssl.http.enabled=true - - plugins.security.allow_default_init_securityindex=true - - plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem - - plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem - - plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem - - plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem - - plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem - - plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem - - plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US" - - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" - ulimits: - memlock: - soft: -1 - hard: -1 - nofile: - soft: 65536 - hard: 65536 - healthcheck: - test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster - start_period: 10s - start_interval: 3s - volumes: - - data:/usr/share/opensearch/data - - ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem - - ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem - - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem - - wazuh.dashboard: - image: opensearchproject/opensearch-dashboards:${WAZUH_DASHBOARD_VERSION} - container_name: wazuh.dashboard - depends_on: - - wazuh.indexer - hostname: wazuh.dashboard - ports: - - 5601:5601 # Map host port 5601 to container port 5601 - expose: - - "5601" # Expose port 5601 for web access to OpenSearch Dashboards - volumes: - - ./certs/:/usr/share/opensearch-dashboards/config/certs/ - - ./certs/wazuh.dashboard-key.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.key - - ./certs/wazuh.dashboard.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.pem - - ./certs/root-ca.pem:/usr/share/opensearch-dashboards/config/certs/root-ca.pem - environment: - WAZUH_DASHBOARD_VERSION: ${WAZUH_DASHBOARD_VERSION} - OPENSEARCH_HOSTS: '["https://wazuh.indexer:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query - SERVER_SSL_ENABLED: "true" - SERVER_SSL_KEY: "/usr/share/opensearch-dashboards/config/certs/opensearch.key" - SERVER_SSL_CERTIFICATE: "/usr/share/opensearch-dashboards/config/certs/opensearch.pem" - OPENSEARCH_SSL_CERTIFICATEAUTHORITIES: "/usr/share/opensearch-dashboards/config/certs/root-ca.pem" - - logstash: - depends_on: - - wazuh.indexer - # image: wazuh/indexer-security-lake-integration - image: logstash-oss:${LOGSTASH_OSS_VERSION} - build: - context: ../logstash - args: - - LOGSTASH_OSS_VERSION=${LOGSTASH_OSS_VERSION} - # container_name: wazuh.integration.security.lake - # hostname: wazuh.integration.security.lake - environment: - LOG_LEVEL: trace - LOGSTASH_KEYSTORE_PASS: "SecretPassword" - MONITORING_ENABLED: false - AWS_ACCESS_KEY_ID: "AKIAIOSFODNN7EXAMPLE" - AWS_SECRET_ACCESS_KEY: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" - AWS_REGION: "us-east-1" - S3_BUCKET_RAW: "wazuh-aws-security-lake-raw" - AWS_ENDPOINT: "http://s3.ninja:9000" - ports: - - "5000:5000/tcp" - - "5000:5000/udp" - - "5044:5044" - - "9600:9600" - volumes: - - ../amazon-security-lake/logstash/pipeline:/usr/share/logstash/pipeline - - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem - - s3.ninja: - image: scireum/s3-ninja:latest - container_name: s3.ninja - hostname: s3.ninja - ports: - - "9444:9000" - volumes: - - s3-data:/home/sirius/data - - aws.lambda: - image: wazuh/indexer-security-lake-integration:lambda - build: - context: ../amazon-security-lake - environment: - AWS_ACCESS_KEY_ID: "AKIAIOSFODNN7EXAMPLE" - AWS_SECRET_ACCESS_KEY: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" - REGION: "us-east-1" - AWS_BUCKET: "wazuh-aws-security-lake-parquet" - S3_BUCKET_OCSF: "wazuh-aws-security-lake-ocsf" - AWS_ENDPOINT: "http://s3.ninja:9000" - SOURCE_LOCATION: "wazuh" - ACCOUNT_ID: "111111111111" - IS_DEV: true - OCSF_CLASS: SECURITY_FINDING - volumes: - - ../amazon-security-lake/src:/var/task - ports: - - "9000:8080" - - generate-certs-config: - image: alpine:latest - volumes: - - ./config:/config - command: | - sh -c " - echo ' - nodes: - indexer: - - name: wazuh.indexer - ip: \"wazuh.indexer\" - server: - - name: wazuh.manager - ip: \"wazuh.manager\" - dashboard: - - name: wazuh.dashboard - ip: \"wazuh.dashboard\" - ' > /config/certs.yml - " - - wazuh-certs-generator: - image: wazuh/wazuh-certs-generator:${WAZUH_CERTS_GENERATOR_VERSION} - hostname: wazuh-certs-generator - depends_on: - generate-certs-config: - condition: service_completed_successfully - container_name: wazuh-certs-generator - environment: - - WAZUH_CERTS_GENERATOR_VERSION=${WAZUH_CERTS_GENERATOR_VERSION} - entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*" - volumes: - - ./certs/:/certificates/ - - ./config/certs.yml:/config/certs.yml - -volumes: - data: - s3-data: diff --git a/integrations/docker/compose.indexer-elastic.yml b/integrations/docker/compose.indexer-elastic.yml deleted file mode 100644 index fa4f20b8165b3..0000000000000 --- a/integrations/docker/compose.indexer-elastic.yml +++ /dev/null @@ -1,259 +0,0 @@ -name: "elastic-integration" - -services: - events-generator: - image: wazuh/indexer-events-generator - build: - context: ../tools/events-generator - depends_on: - wazuh.indexer: - condition: service_healthy - command: bash -c "python run.py -a wazuh.indexer" - - wazuh.indexer: - image: opensearchproject/opensearch:${WAZUH_INDEXER_VERSION} - depends_on: - wazuh-certs-generator: - condition: service_completed_successfully - hostname: wazuh.indexer - ports: - - 9200:9200 - environment: - - WAZUH_INDEXER_VERSION=${WAZUH_INDEXER_VERSION} - - node.name=wazuh.indexer - - discovery.type=single-node - - bootstrap.memory_lock=true - - "DISABLE_INSTALL_DEMO_CONFIG=true" - - plugins.security.ssl.http.enabled=true - - plugins.security.allow_default_init_securityindex=true - - plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem - - plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem - - plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem - - plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem - - plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem - - plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem - - plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US" - - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" - ulimits: - memlock: - soft: -1 - hard: -1 - nofile: - soft: 65536 - hard: 65536 - healthcheck: - test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster - start_period: 10s - start_interval: 3s - volumes: - - data:/usr/share/opensearch/data - - ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem - - ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem - - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem - - wazuh.dashboard: - image: opensearchproject/opensearch-dashboards:${WAZUH_DASHBOARD_VERSION} - depends_on: - - wazuh.indexer - hostname: wazuh.dashboard - ports: - - 5601:5601 # Map host port 5601 to container port 5601 - expose: - - "5601" # Expose port 5601 for web access to OpenSearch Dashboards - volumes: - - ./certs/:/usr/share/opensearch-dashboards/config/certs/ - - ./certs/wazuh.dashboard-key.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.key - - ./certs/wazuh.dashboard.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.pem - - ./certs/root-ca.pem:/usr/share/opensearch-dashboards/config/certs/root-ca.pem - environment: - WAZUH_DASHBOARD_VERSION: ${WAZUH_DASHBOARD_VERSION} - OPENSEARCH_HOSTS: '["https://wazuh.indexer:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query - SERVER_SSL_ENABLED: "true" - SERVER_SSL_KEY: "/usr/share/opensearch-dashboards/config/certs/opensearch.key" - SERVER_SSL_CERTIFICATE: "/usr/share/opensearch-dashboards/config/certs/opensearch.pem" - OPENSEARCH_SSL_CERTIFICATEAUTHORITIES: "/usr/share/opensearch-dashboards/config/certs/root-ca.pem" - - generate-certs-config: - image: alpine:latest - volumes: - - ./config:/config - command: | - sh -c " - echo ' - nodes: - indexer: - - name: wazuh.indexer - ip: \"wazuh.indexer\" - server: - - name: wazuh.manager - ip: \"wazuh.manager\" - dashboard: - - name: wazuh.dashboard - ip: \"wazuh.dashboard\" - ' > /config/certs.yml - " - - wazuh-certs-generator: - image: wazuh/wazuh-certs-generator:${WAZUH_CERTS_GENERATOR_VERSION} - hostname: wazuh-certs-generator - environment: - - WAZUH_CERTS_GENERATOR_VERSION=${WAZUH_CERTS_GENERATOR_VERSION} - depends_on: - generate-certs-config: - condition: service_completed_successfully - entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*" - volumes: - - ./certs/:/certificates/ - - ./config/certs.yml:/config/certs.yml - - # ================================= - # Elasticsearch, Kibana and Logstash - # ================================= - # https://www.elastic.co/guide/en/elastic-stack-get-started/current/get-started-docker.html - - setup: - image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION} - volumes: - - es_certs:/usr/share/elasticsearch/config/certs - user: "0" - command: > - bash -c ' - if [ x${ELASTIC_PASSWORD} == x ]; then - echo "Set the ELASTIC_PASSWORD environment variable in the .env file"; - exit 1; - elif [ x${KIBANA_PASSWORD} == x ]; then - echo "Set the KIBANA_PASSWORD environment variable in the .env file"; - exit 1; - fi; - if [ ! -f config/certs/ca.zip ]; then - echo "Creating CA"; - bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip; - unzip config/certs/ca.zip -d config/certs; - fi; - if [ ! -f config/certs/certs.zip ]; then - echo "Creating certs"; - echo -ne \ - "instances:\n"\ - " - name: es01\n"\ - " dns:\n"\ - " - es01\n"\ - " - localhost\n"\ - " ip:\n"\ - " - 127.0.0.1\n"\ - " - name: kibana\n"\ - " dns:\n"\ - " - kibana\n"\ - " - localhost\n"\ - " ip:\n"\ - " - 127.0.0.1\n"\ - > config/certs/instances.yml; - bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key; - unzip config/certs/certs.zip -d config/certs; - fi; - echo "Setting file permissions" - chown -R 1000:1000 config/certs; - find . -type d -exec chmod 750 \{\} \;; - find . -type f -exec chmod 640 \{\} \;; - echo "Waiting for Elasticsearch availability"; - until curl -s --cacert config/certs/ca/ca.crt https://es01:9200 | grep -q "missing authentication credentials"; do sleep 30; done; - echo "Setting kibana_system password"; - until curl -s -X POST --cacert config/certs/ca/ca.crt -u "elastic:${ELASTIC_PASSWORD}" -H "Content-Type: application/json" https://es01:9200/_security/user/kibana_system/_password -d "{\"password\":\"${KIBANA_PASSWORD}\"}" | grep -q "^{}"; do sleep 10; done; - echo "All done!"; - ' - healthcheck: - test: ["CMD-SHELL", "[ -f config/certs/es01/es01.crt ]"] - interval: 1s - timeout: 5s - retries: 120 - - es01: - depends_on: - setup: - condition: service_healthy - image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION} - volumes: - - es_certs:/usr/share/elasticsearch/config/certs - ports: - - ${ES_PORT}:9200 - environment: - - node.name=es01 - - cluster.name=${CLUSTER_NAME} - - cluster.initial_master_nodes=es01 - - ELASTIC_PASSWORD=${ELASTIC_PASSWORD} - - bootstrap.memory_lock=true - - xpack.security.enabled=true - - xpack.security.http.ssl.enabled=true - - xpack.security.http.ssl.key=certs/es01/es01.key - - xpack.security.http.ssl.certificate=certs/es01/es01.crt - - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt - - xpack.security.transport.ssl.enabled=true - - xpack.security.transport.ssl.key=certs/es01/es01.key - - xpack.security.transport.ssl.certificate=certs/es01/es01.crt - - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt - - xpack.security.transport.ssl.verification_mode=certificate - - xpack.license.self_generated.type=${LICENSE} - mem_limit: ${MEM_LIMIT} - ulimits: - memlock: - soft: -1 - hard: -1 - healthcheck: - test: - [ - "CMD-SHELL", - "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'", - ] - interval: 10s - timeout: 10s - retries: 120 - - kibana: - depends_on: - es01: - condition: service_healthy - image: docker.elastic.co/kibana/kibana:${STACK_VERSION} - volumes: - - es_certs:/usr/share/kibana/config/certs - ports: - - ${KIBANA_PORT}:5601 - environment: - - SERVERNAME=kibana - - ELASTICSEARCH_HOSTS=https://es01:9200 - - ELASTICSEARCH_USERNAME=kibana_system - - ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD} - - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt - - SERVER_SSL_ENABLED=true - - SERVER_SSL_KEY=/usr/share/kibana/config/certs/kibana/kibana.key - - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/certs/kibana/kibana.crt - mem_limit: ${MEM_LIMIT} - healthcheck: - test: - [ - "CMD-SHELL", - "curl -s -I https://localhost:5601 | grep -q 'HTTP/1.1 302 Found'", - ] - interval: 10s - timeout: 10s - retries: 120 - - logstash: - depends_on: - es01: - condition: service_healthy - image: logstash-oss:${LOGSTASH_OSS_VERSION} - build: - context: ../logstash - args: - - LOGSTASH_OSS_VERSION=${LOGSTASH_OSS_VERSION} - environment: - LOG_LEVEL: info - MONITORING_ENABLED: false - volumes: - - ../elastic/logstash/pipeline:/usr/share/logstash/pipeline - - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem - - es_certs:/etc/certs/elastic - command: logstash -f /usr/share/logstash/pipeline/indexer-to-elastic.conf - -volumes: - data: - es_certs: diff --git a/integrations/docker/compose.indexer-opensearch.yml b/integrations/docker/compose.indexer-opensearch.yml deleted file mode 100644 index 8fc2c4364117c..0000000000000 --- a/integrations/docker/compose.indexer-opensearch.yml +++ /dev/null @@ -1,194 +0,0 @@ -name: "opensearch-integration" - -services: - events-generator: - image: wazuh/indexer-events-generator - build: - context: ../tools/events-generator - depends_on: - wazuh.indexer: - condition: service_healthy - command: bash -c "python run.py -a wazuh.indexer" - - wazuh.indexer: - image: opensearchproject/opensearch:${WAZUH_INDEXER_VERSION} - depends_on: - wazuh-certs-generator: - condition: service_completed_successfully - hostname: wazuh.indexer - ports: - - 9200:9200 - environment: - - WAZUH_INDEXER_VERSION=${WAZUH_INDEXER_VERSION} - - node.name=wazuh.indexer - - discovery.type=single-node - - bootstrap.memory_lock=true - - "DISABLE_INSTALL_DEMO_CONFIG=true" - - plugins.security.ssl.http.enabled=true - - plugins.security.allow_default_init_securityindex=true - - plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem - - plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem - - plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem - - plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem - - plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem - - plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem - - plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US" - - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" - ulimits: - memlock: - soft: -1 - hard: -1 - nofile: - soft: 65536 - hard: 65536 - healthcheck: - test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster - start_period: 10s - start_interval: 3s - volumes: - - data:/usr/share/opensearch/data - - ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem - - ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem - - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem - - wazuh.dashboard: - image: opensearchproject/opensearch-dashboards:${WAZUH_DASHBOARD_VERSION} - depends_on: - - wazuh.indexer - hostname: wazuh.dashboard - ports: - - 5601:5601 - expose: - - "5601" - volumes: - - ../opensearch/opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml - - ./certs/:/usr/share/opensearch-dashboards/config/certs/ - - ./certs/opensearch.dashboards-key.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.key - - ./certs/opensearch.dashboards.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.pem - - ./certs/root-ca.pem:/usr/share/opensearch-dashboards/config/certs/root-ca.pem - environment: - WAZUH_DASHBOARD_VERSION: ${WAZUH_DASHBOARD_VERSION} - OPENSEARCH_HOSTS: '["https://wazuh.indexer:9200"]' - SERVER_SSL_ENABLED: "true" - SERVER_SSL_KEY: "/usr/share/opensearch-dashboards/config/certs/opensearch.key" - SERVER.SSL_CERTIFICATE: "/usr/share/opensearch-dashboards/config/certs/opensearch.pem" - OPENSEARCH_SSL_CERTIFICATEAUTHORITIES: "/usr/share/opensearch-dashboards/config/certs/root-ca.pem" - - generate-certs-config: - image: alpine:latest - volumes: - - ./config:/config - command: | - sh -c " - echo ' - nodes: - indexer: - - name: wazuh.indexer - ip: \"wazuh.indexer\" - - name: opensearch.node - ip: \"opensearch.node\" - server: - - name: wazuh.manager - ip: \"wazuh.manager\" - dashboard: - - name: wazuh.dashboard - ip: \"wazuh.dashboard\" - - name: opensearch.dashboards - ip: \"opensearch.dashboards\" - ' > /config/certs.yml - " - - wazuh-certs-generator: - image: wazuh/wazuh-certs-generator:${WAZUH_CERTS_GENERATOR_VERSION} - hostname: wazuh-certs-generator - environment: - - WAZUH_CERTS_GENERATOR_VERSION=${WAZUH_CERTS_GENERATOR_VERSION} - depends_on: - generate-certs-config: - condition: service_completed_successfully - entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*" - volumes: - - ./certs/:/certificates/ - - ./config/certs.yml:/config/certs.yml - - # ================================================ - # OpenSearch, OpenSearch Dashboards and Logstash - # ================================================ - - opensearch.node: - image: opensearchproject/opensearch:${OS_VERSION} - depends_on: - wazuh-certs-generator: - condition: service_completed_successfully - environment: - - cluster.name=opensearch-cluster - - node.name=opensearch.node - - discovery.type=single-node - - bootstrap.memory_lock=true - - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" - - "DISABLE_INSTALL_DEMO_CONFIG=true" - volumes: - - ../opensearch/opensearch.yml:/usr/share/opensearch/config/opensearch.yml - - ./certs/opensearch.node-key.pem:/usr/share/opensearch/config/certs/opensearch.key - - ./certs/opensearch.node.pem:/usr/share/opensearch/config/certs/opensearch.pem - - ./certs/root-ca.pem:/usr/share/opensearch/config/certs/root-ca.pem - ulimits: - memlock: - soft: -1 - hard: -1 - nofile: - soft: 65536 - hard: 65536 - ports: - - 9201:9200 - - 9600:9600 - healthcheck: - test: - [ - "CMD-SHELL", - "curl -sku admin:admin https://opensearch.node:9200 2>&1 | grep -q 'The OpenSearch Project: https://opensearch.org/'", - ] - interval: 1s - timeout: 5s - retries: 120 - - opensearch-dashboards: - image: opensearchproject/opensearch-dashboards:${OS_VERSION} - depends_on: - opensearch.node: - condition: service_healthy - ports: - - 5602:5601 - expose: - - "5602" - volumes: - - ../opensearch/opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml - - ./certs/:/usr/share/opensearch-dashboards/config/certs/ - - ./certs/opensearch.dashboards-key.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.key - - ./certs/opensearch.dashboards.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.pem - - ./certs/root-ca.pem:/usr/share/opensearch-dashboards/config/certs/root-ca.pem - - environment: - - 'OPENSEARCH_HOSTS="https://opensearch.node:9200"' - - logstash: - image: logstash-oss:${LOGSTASH_OSS_VERSION} - depends_on: - opensearch.node: - condition: service_healthy - build: - context: ../logstash - args: - - LOGSTASH_OSS_VERSION=${LOGSTASH_OSS_VERSION} - environment: - LOGSTASH_OSS_VERSION: ${LOGSTASH_OSS_VERSION} - LOG_LEVEL: info - MONITORING_ENABLED: false - volumes: - - ../opensearch/logstash/pipeline:/usr/share/logstash/pipeline - - ./certs/root-ca.pem:/etc/ssl/root-ca.pem - command: logstash -f /usr/share/logstash/pipeline/indexer-to-opensearch.conf - -volumes: - data: - os_config: diff --git a/integrations/docker/compose.indexer-splunk.yml b/integrations/docker/compose.indexer-splunk.yml deleted file mode 100644 index 9f9681f8cb965..0000000000000 --- a/integrations/docker/compose.indexer-splunk.yml +++ /dev/null @@ -1,182 +0,0 @@ -name: "splunk-integration" - -services: - events-generator: - image: wazuh/indexer-events-generator - build: - context: ../tools/events-generator - depends_on: - wazuh.indexer: - condition: service_healthy - command: bash -c "python run.py -a wazuh.indexer" - - wazuh.indexer: - image: opensearchproject/opensearch:${WAZUH_INDEXER_VERSION} - depends_on: - wazuh-certs-generator: - condition: service_completed_successfully - hostname: wazuh.indexer - ports: - - 9200:9200 - environment: - - WAZUH_INDEXER_VERSION=${WAZUH_INDEXER_VERSION} - - node.name=wazuh.indexer - - discovery.type=single-node - - bootstrap.memory_lock=true - - "DISABLE_INSTALL_DEMO_CONFIG=true" - - plugins.security.ssl.http.enabled=true - - plugins.security.allow_default_init_securityindex=true - - plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem - - plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem - - plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem - - plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem - - plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem - - plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem - - plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US" - - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" - ulimits: - memlock: - soft: -1 - hard: -1 - nofile: - soft: 65536 - hard: 65536 - healthcheck: - test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster - start_period: 10s - start_interval: 3s - volumes: - - data:/usr/share/opensearch/data - - ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem - - ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem - - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem - - wazuh.dashboard: - image: opensearchproject/opensearch-dashboards:${WAZUH_DASHBOARD_VERSION} - depends_on: - - wazuh.indexer - hostname: wazuh.dashboard - ports: - - 5601:5601 # Map host port 5601 to container port 5601 - expose: - - "5601" # Expose port 5601 for web access to OpenSearch Dashboards - volumes: - - ./certs/:/usr/share/opensearch-dashboards/config/certs/ - - ./certs/wazuh.dashboard-key.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.key - - ./certs/wazuh.dashboard.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.pem - - ./certs/root-ca.pem:/usr/share/opensearch-dashboards/config/certs/root-ca.pem - environment: - WAZUH_DASHBOARD_VERSION: ${WAZUH_DASHBOARD_VERSION} - OPENSEARCH_HOSTS: '["https://wazuh.indexer:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query - SERVER_SSL_ENABLED: "true" - SERVER_SSL_KEY: "/usr/share/opensearch-dashboards/config/certs/opensearch.key" - SERVER_SSL_CERTIFICATE: "/usr/share/opensearch-dashboards/config/certs/opensearch.pem" - OPENSEARCH_SSL_CERTIFICATEAUTHORITIES: "/usr/share/opensearch-dashboards/config/certs/root-ca.pem" - - generate-certs-config: - image: alpine:latest - volumes: - - ./config:/config - command: | - sh -c " - echo ' - nodes: - indexer: - - name: wazuh.indexer - ip: \"wazuh.indexer\" - server: - - name: wazuh.manager - ip: \"wazuh.manager\" - dashboard: - - name: wazuh.dashboard - ip: \"wazuh.dashboard\" - ' > /config/certs.yml - " - - wazuh-certs-generator: - image: wazuh/wazuh-certs-generator:${WAZUH_CERTS_GENERATOR_VERSION} - hostname: wazuh-certs-generator - environment: - - WAZUH_CERTS_GENERATOR_VERSION=${WAZUH_CERTS_GENERATOR_VERSION} - depends_on: - generate-certs-config: - condition: service_completed_successfully - entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*" - volumes: - - ./certs/:/certificates/ - - ./config/certs.yml:/config/certs.yml - - # ================================= - # Splunk and Logstash - # ================================= - - generator: - image: cfssl/cfssl - depends_on: - wazuh-certs-generator: - condition: service_completed_successfully - volumes: - - ./certs/:/certs/ - - ../splunk/cfssl/:/conf/ - entrypoint: /bin/bash - command: > - -c ' - cd /certs - cat /conf/host.json | \ - cfssl gencert \ - -ca root-ca.pem \ - -ca-key root-ca.key \ - -config /conf/cfssl.json \ - -profile=server - | \ - cfssljson -bare splunk - openssl pkcs8 -topk8 -inform pem -in splunk-key.pem -outform pem -nocrypt -out splunk.key - rm splunk.csr - cat splunk.pem splunk-key.pem root-ca.pem > splunkhec.pem - chown -R 1000:1000 /certs/splunk* - ' - - splunk: - image: splunk/splunk:${SPLUNK_VERSION} - volumes: - - ./certs/splunk.key:/opt/splunk/etc/auth/custom/splunk.key - - ./certs/splunk.pem:/opt/splunk/etc/auth/custom/splunk.pem - - ./certs/splunkhec.pem:/opt/splunk/etc/auth/custom/splunkhec.pem - - ../splunk/config/indexes.conf:/opt/splunk/etc/system/local/indexes.conf - - ../splunk/config/default.yml:/tmp/defaults/default.yml - depends_on: - wazuh-certs-generator: - condition: service_completed_successfully - generator: - condition: service_completed_successfully - ports: - - "8000:8000" - - "8088:8088" - environment: - SPLUNK_VERSION: ${SPLUNK_VERSION} - SPLUNK_HEC_TOKEN: "abcd1234" - SPLUNK_HOSTNAME: splunk - SPLUNK_HTTP_ENABLESSL: "true" - SPLUNK_PASSWORD: Password.1234 - SPLUNK_STANDALONE_URL: https://splunk:8080 - SPLUNK_START_ARGS: --accept-license - - logstash: - image: logstash-oss:${LOGSTASH_OSS_VERSION} - depends_on: - splunk: - condition: service_healthy - build: - context: ../logstash - args: - - LOGSTASH_OSS_VERSION=${LOGSTASH_OSS_VERSION} - environment: - LOGSTASH_OSS_VERSION: ${LOGSTASH_OSS_VERSION} - LOG_LEVEL: info - MONITORING_ENABLED: false - volumes: - - ../splunk/logstash/pipeline:/usr/share/logstash/pipeline - - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem - command: logstash -f /usr/share/logstash/pipeline/indexer-to-splunk.conf - -volumes: - data: diff --git a/integrations/docker/config/certs.yml b/integrations/docker/config/certs.yml deleted file mode 100644 index 7a4ef691e5e10..0000000000000 --- a/integrations/docker/config/certs.yml +++ /dev/null @@ -1,20 +0,0 @@ -nodes: - # Wazuh indexer and OpenSearch server nodes - indexer: - - name: wazuh.indexer - ip: wazuh.indexer - - name: opensearch.node - ip: opensearch.node - - # Wazuh server nodes - # Use node_type only with more than one Wazuh manager - server: - - name: wazuh.manager - ip: wazuh.manager - - # Wazuh dashboard and OpenSearch Dashboards nodes - dashboard: - - name: wazuh.dashboard - ip: wazuh.dashboard - - name: opensearch.dashboards - ip: opensearch.dashboards diff --git a/integrations/elastic/Dockerfile b/integrations/elastic/Dockerfile deleted file mode 100644 index 82314abd3c3bd..0000000000000 --- a/integrations/elastic/Dockerfile +++ /dev/null @@ -1,19 +0,0 @@ -FROM opensearchproject/logstash-oss-with-opensearch-output-plugin:latest - -ENV LOGSTASH_KEYSTORE_PASS "SecretPassword" -ENV LS_PATH "/usr/share/logstash" -USER logstash - -# https://github.com/elastic/logstash/issues/6600 -# Install plugin -RUN LS_JAVA_OPTS="-Xms1024m -Xmx1024m" logstash-plugin install logstash-input-opensearch - -COPY --chown=logstash:logstash logstash/pipeline /usr/share/logstash/pipeline -# Copy and run the setup.sh script to create and configure a keystore for Logstash. -COPY --chown=logstash:logstash logstash/setup.sh /usr/share/logstash/bin/setup.sh -RUN bash /usr/share/logstash/bin/setup.sh - -# Disable ECS compatibility -RUN `echo "pipeline.ecs_compatibility: disabled" >> /usr/share/logstash/config/logstash.yml` - -WORKDIR /usr/share/logstash \ No newline at end of file diff --git a/integrations/elastic/README.md b/integrations/elastic/README.md deleted file mode 100644 index 3092a7d85eccd..0000000000000 --- a/integrations/elastic/README.md +++ /dev/null @@ -1,47 +0,0 @@ -# Wazuh to Elastic Integration Developer Guide - -This document describes how to prepare a Docker Compose environment to test the integration between Wazuh and the Elastic Stack. For a detailed guide on how to integrate Wazuh with Elastic Stack, please refer to the [Wazuh documentation](https://documentation.wazuh.com/current/integrations-guide/elastic-stack/index.html). - -## Requirements - -- Docker and Docker Compose installed. - -## Usage - -1. Clone the Wazuh repository and navigate to the `integrations/` folder. -2. Run the following command to start the environment: - ```bash - docker compose -f ./docker/compose.indexer-elastic.yml up -d - ``` - -The Docker Compose project will bring up the following services: - -- 1x Events Generator (learn more in [wazuh-indexer/integrations/tools/events-generator](../tools/events-generator/README.md)). -- 1x Wazuh Indexer (OpenSearch). -- 1x Logstash -- 1x Elastic -- 1x Kibana - -For custom configurations, you may need to modify these files: - -- [docker/compose.indexer-elastic.yml](../docker/compose.indexer-elastic.yml): Docker Compose file. -- [docker/.env](../docker/.env): Environment variables file. -- [elastic/logstash/pipeline/indexer-to-elastic.conf](./logstash/pipeline/indexer-to-elastic.conf): Logstash Pipeline configuration file. - -Check the files above for **credentials**, ports, and other configurations. - -| Service | Address | Credentials | -| ------------- | ---------------------- | --------------- | -| Wazuh Indexer | https://localhost:9200 | admin:admin | -| Elastic | https://localhost:9201 | elastic:elastic | -| Kibana | https://localhost:5602 | elastic:elastic | - -## Importing the dashboards - -The dashboards for Elastic are included in [dashboards.ndjson](./dashboards.ndjson). The steps to import them to Elastic are the following: - -- On Kibana, expand the left menu, and go to `Stack management`. -- Click on `Saved Objects`, select `Import`, click on the `Import` icon and browse the dashboard file. -- Click on Import and complete the process. - -Imported dashboards will appear in the `Dashboards` app on the left menu. diff --git a/integrations/elastic/dashboards.ndjson b/integrations/elastic/dashboards.ndjson deleted file mode 100644 index a02f7704eb14e..0000000000000 --- a/integrations/elastic/dashboards.ndjson +++ /dev/null @@ -1,9 +0,0 @@ -{"attributes":{"fieldAttrs":"{}","fieldFormatMap":"{}","fields":"[]","name":"wazuh-alerts-4.x-*","runtimeFieldMap":"{}","sourceFilters":"[]","timeFieldName":"timestamp","title":"wazuh-alerts-4.x-*","typeMeta":"{}"},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T17:17:45.191Z","id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","migrationVersion":{"index-pattern":"8.0.0"},"references":[],"type":"index-pattern","updated_at":"2023-04-24T17:17:45.191Z","version":"WzI1MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":7,\"y\":0,\"w\":8,\"h\":5,\"i\":\"9931cceb-51f1-4e47-bd26-491e7a624592\"},\"panelIndex\":\"9931cceb-51f1-4e47-bd26-491e7a624592\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-1dc5f9b1-9f0c-458b-98e6-e92708af5b9d\",\"type\":\"index-pattern\"},{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"b9624937-542e-4ac9-9f09-ae532ade3311\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"1dc5f9b1-9f0c-458b-98e6-e92708af5b9d\",\"accessor\":\"df19010a-26e5-446d-9d74-56fe2495e38b\",\"layerType\":\"data\",\"textAlign\":\"center\",\"size\":\"xxl\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#db5871\",\"stop\":2}],\"colorStops\":[{\"color\":\"#db5871\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"b9624937-542e-4ac9-9f09-ae532ade3311\",\"type\":\"exists\",\"key\":\"data.vulnerability.severity\",\"value\":\"exists\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{\"exists\":{\"field\":\"data.vulnerability.severity\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1dc5f9b1-9f0c-458b-98e6-e92708af5b9d\":{\"columns\":{\"df19010a-26e5-446d-9d74-56fe2495e38b\":{\"label\":\"Critical Severity Alerts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":false,\"filter\":{\"query\":\"data.vulnerability.severity : \\\"Critical\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df19010a-26e5-446d-9d74-56fe2495e38b\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":0,\"w\":8,\"h\":5,\"i\":\"a0b05cdd-c4b5-46b0-af2e-32253bd965e6\"},\"panelIndex\":\"a0b05cdd-c4b5-46b0-af2e-32253bd965e6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-fd6049b6-e52c-449e-9775-ded5ac1eac15\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"fd6049b6-e52c-449e-9775-ded5ac1eac15\",\"accessor\":\"2ce8bbeb-74d7-4e28-b616-6edd33c1f981\",\"layerType\":\"data\",\"textAlign\":\"center\",\"size\":\"xxl\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#0c5da3\",\"stop\":2}],\"colorStops\":[{\"color\":\"#0c5da3\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"fd6049b6-e52c-449e-9775-ded5ac1eac15\":{\"columns\":{\"2ce8bbeb-74d7-4e28-b616-6edd33c1f981\":{\"label\":\"Hight Severity Alerts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":false,\"filter\":{\"query\":\"data.vulnerability.severity : \\\"High\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"2ce8bbeb-74d7-4e28-b616-6edd33c1f981\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":0,\"w\":9,\"h\":5,\"i\":\"b22f2aba-370b-40f2-8f30-c7175fd21d84\"},\"panelIndex\":\"b22f2aba-370b-40f2-8f30-c7175fd21d84\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-a8774fa0-5ae6-4746-94bd-cd21a0210641\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"a8774fa0-5ae6-4746-94bd-cd21a0210641\",\"accessor\":\"b7764bb5-540b-4183-a8c5-e9e856e48949\",\"layerType\":\"data\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#007d73\",\"stop\":2}],\"colorStops\":[{\"color\":\"#007d73\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"textAlign\":\"center\",\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"a8774fa0-5ae6-4746-94bd-cd21a0210641\":{\"columns\":{\"b7764bb5-540b-4183-a8c5-e9e856e48949\":{\"label\":\"Medium Severity Alerts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":false,\"filter\":{\"query\":\"data.vulnerability.severity : \\\"Medium\\\" \",\"language\":\"kuery\"},\"reducedTimeRange\":\"\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"b7764bb5-540b-4183-a8c5-e9e856e48949\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":32,\"y\":0,\"w\":9,\"h\":5,\"i\":\"dad9436c-6a56-47cc-a52a-065c86d64c7f\"},\"panelIndex\":\"dad9436c-6a56-47cc-a52a-065c86d64c7f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-a397e361-0b6a-4d18-b957-2afce890f6c3\",\"type\":\"index-pattern\"},{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"a532bc3a-2caf-4353-9a37-17d4fb373b0d\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"a397e361-0b6a-4d18-b957-2afce890f6c3\",\"accessor\":\"c0f27509-4ce0-4eca-94c5-e1eddfc176e9\",\"layerType\":\"data\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#222222\",\"stop\":2}],\"colorStops\":[{\"color\":\"#222222\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"textAlign\":\"center\",\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"a532bc3a-2caf-4353-9a37-17d4fb373b0d\",\"alias\":\"data.vulnerability.severity : \\\"Low\\\" \",\"type\":\"custom\",\"key\":\"query\",\"value\":\"{\\\"bool\\\":{\\\"must\\\":[],\\\"filter\\\":[{\\\"bool\\\":{\\\"should\\\":[{\\\"term\\\":{\\\"data.vulnerability.severity\\\":\\\"Low\\\"}}],\\\"minimum_should_match\\\":1}}],\\\"should\\\":[],\\\"must_not\\\":[]}}\",\"disabled\":false,\"negate\":false},\"query\":{\"bool\":{\"must\":[],\"filter\":[{\"bool\":{\"should\":[{\"term\":{\"data.vulnerability.severity\":\"Low\"}}],\"minimum_should_match\":1}}],\"should\":[],\"must_not\":[]}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"a397e361-0b6a-4d18-b957-2afce890f6c3\":{\"columns\":{\"c0f27509-4ce0-4eca-94c5-e1eddfc176e9\":{\"label\":\"Low Severity Alerts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":false,\"filter\":{\"query\":\"data.vulnerability.severity : \\\"Low\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"c0f27509-4ce0-4eca-94c5-e1eddfc176e9\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":5,\"w\":25,\"h\":14,\"i\":\"8fe06d85-091b-47aa-a809-aae9150a3314\"},\"panelIndex\":\"8fe06d85-091b-47aa-a809-aae9150a3314\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-47832b00-8a1a-4d99-8631-89379474c236\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"curveType\":\"CURVE_MONOTONE_X\",\"fillOpacity\":1,\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"area_stacked\",\"layers\":[{\"layerId\":\"47832b00-8a1a-4d99-8631-89379474c236\",\"accessors\":[\"32448531-8094-4131-89c9-38ed77a620ec\"],\"position\":\"top\",\"seriesType\":\"area_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"yConfig\":[{\"forAccessor\":\"32448531-8094-4131-89c9-38ed77a620ec\",\"axisMode\":\"auto\"}],\"xAccessor\":\"f20c7be6-a511-4b95-be88-6de506dbf1d8\",\"splitAccessor\":\"526e79e6-d985-4fc0-b5f3-ec87f5d24b83\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"47832b00-8a1a-4d99-8631-89379474c236\":{\"columns\":{\"526e79e6-d985-4fc0-b5f3-ec87f5d24b83\":{\"label\":\"Top 5 values of data.vulnerability.severity\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"32448531-8094-4131-89c9-38ed77a620ec\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"f20c7be6-a511-4b95-be88-6de506dbf1d8\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"3h\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"32448531-8094-4131-89c9-38ed77a620ec\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"526e79e6-d985-4fc0-b5f3-ec87f5d24b83\",\"f20c7be6-a511-4b95-be88-6de506dbf1d8\",\"32448531-8094-4131-89c9-38ed77a620ec\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Alert severity\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":25,\"y\":5,\"w\":23,\"h\":14,\"i\":\"680cfedf-a868-4de2-8173-897f4df7f6d7\"},\"panelIndex\":\"680cfedf-a868-4de2-8173-897f4df7f6d7\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsHeatmap\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-6f9a4ce5-1395-4bc6-9dd6-0a8c130e9d8a\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"heatmap\",\"layerId\":\"6f9a4ce5-1395-4bc6-9dd6-0a8c130e9d8a\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"position\":\"right\",\"type\":\"heatmap_legend\"},\"gridConfig\":{\"type\":\"heatmap_grid\",\"isCellLabelVisible\":false,\"isYAxisLabelVisible\":true,\"isXAxisLabelVisible\":true,\"isYAxisTitleVisible\":false,\"isXAxisTitleVisible\":true,\"yTitle\":\"\"},\"valueAccessor\":\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\",\"yAccessor\":\"6fcc771b-b4e8-4684-80da-49b7b897dc24\",\"xAccessor\":\"e8d69708-c954-444b-a94f-9eb1befd3197\",\"palette\":{\"type\":\"palette\",\"name\":\"positive\",\"params\":{\"name\":\"positive\",\"continuity\":\"above\",\"reverse\":false,\"stops\":[{\"color\":\"#d6e9e4\",\"stop\":0},{\"color\":\"#aed3ca\",\"stop\":20},{\"color\":\"#85bdb1\",\"stop\":40},{\"color\":\"#5aa898\",\"stop\":60},{\"color\":\"#209280\",\"stop\":80}],\"rangeMin\":0,\"rangeMax\":null},\"accessor\":\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\"}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6f9a4ce5-1395-4bc6-9dd6-0a8c130e9d8a\":{\"columns\":{\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":false},\"6fcc771b-b4e8-4684-80da-49b7b897dc24\":{\"label\":\"Top 3 values of data.vulnerability.severity\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":false},\"e8d69708-c954-444b-a94f-9eb1befd3197\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"6fcc771b-b4e8-4684-80da-49b7b897dc24\",\"e8d69708-c954-444b-a94f-9eb1befd3197\",\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Vulnerabilities heat map\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":14,\"i\":\"5a8626af-2bc4-4317-ad7f-20622c16db0a\"},\"panelIndex\":\"5a8626af-2bc4-4317-ad7f-20622c16db0a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-d94ddf3d-d285-450e-aba4-46057df55fb7\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"542028d8-117e-4ee0-ba25-3ff4475940aa\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"e26de584-b46b-474e-bcd4-11bd37ff8e2e\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"1007fe8b-8a98-4b60-b8ef-93cd49227cd4\"},{\"isTransposed\":false,\"columnId\":\"ec84289b-cb43-4fae-9b94-7b17b696e4e0\"},{\"isTransposed\":false,\"columnId\":\"89ac7aeb-dfe3-449c-a109-6686a3610a4b\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\",\"hidden\":true},{\"columnId\":\"4732efcd-d7cd-4a02-8b03-c498b3bb637c\",\"isTransposed\":false},{\"columnId\":\"056be5db-ea40-4979-9985-8f0c73a8dcef\",\"isTransposed\":false}],\"layerId\":\"d94ddf3d-d285-450e-aba4-46057df55fb7\",\"layerType\":\"data\",\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d94ddf3d-d285-450e-aba4-46057df55fb7\":{\"columns\":{\"542028d8-117e-4ee0-ba25-3ff4475940aa\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"e26de584-b46b-474e-bcd4-11bd37ff8e2e\":{\"label\":\"data.vulnerability.cve\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.cve\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"1007fe8b-8a98-4b60-b8ef-93cd49227cd4\":{\"label\":\"data.vulnerability.package.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.package.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"ec84289b-cb43-4fae-9b94-7b17b696e4e0\":{\"label\":\"data.vulnerability.severity\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.package.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"89ac7aeb-dfe3-449c-a109-6686a3610a4b\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"4732efcd-d7cd-4a02-8b03-c498b3bb637c\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"056be5db-ea40-4979-9985-8f0c73a8dcef\":{\"label\":\"data.vulnerability.package.version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.package.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"4732efcd-d7cd-4a02-8b03-c498b3bb637c\",\"542028d8-117e-4ee0-ba25-3ff4475940aa\",\"e26de584-b46b-474e-bcd4-11bd37ff8e2e\",\"1007fe8b-8a98-4b60-b8ef-93cd49227cd4\",\"056be5db-ea40-4979-9985-8f0c73a8dcef\",\"ec84289b-cb43-4fae-9b94-7b17b696e4e0\",\"89ac7aeb-dfe3-449c-a109-6686a3610a4b\",\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Events\"}]","timeRestore":false,"title":"wazuh-vulnerabilities-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:37:41.475Z","id":"1e68dc60-e2b5-11ed-9db8-9f0e23f622c3","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"9931cceb-51f1-4e47-bd26-491e7a624592:indexpattern-datasource-layer-1dc5f9b1-9f0c-458b-98e6-e92708af5b9d","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"9931cceb-51f1-4e47-bd26-491e7a624592:b9624937-542e-4ac9-9f09-ae532ade3311","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"a0b05cdd-c4b5-46b0-af2e-32253bd965e6:indexpattern-datasource-layer-fd6049b6-e52c-449e-9775-ded5ac1eac15","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"b22f2aba-370b-40f2-8f30-c7175fd21d84:indexpattern-datasource-layer-a8774fa0-5ae6-4746-94bd-cd21a0210641","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"dad9436c-6a56-47cc-a52a-065c86d64c7f:indexpattern-datasource-layer-a397e361-0b6a-4d18-b957-2afce890f6c3","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"dad9436c-6a56-47cc-a52a-065c86d64c7f:a532bc3a-2caf-4353-9a37-17d4fb373b0d","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"8fe06d85-091b-47aa-a809-aae9150a3314:indexpattern-datasource-layer-47832b00-8a1a-4d99-8631-89379474c236","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"680cfedf-a868-4de2-8173-897f4df7f6d7:indexpattern-datasource-layer-6f9a4ce5-1395-4bc6-9dd6-0a8c130e9d8a","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"5a8626af-2bc4-4317-ad7f-20622c16db0a:indexpattern-datasource-layer-d94ddf3d-d285-450e-aba4-46057df55fb7","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:37:41.475Z","version":"WzQ3OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":5,\"i\":\"c90b5ced-c476-4336-8248-5f5eee09b7d3\"},\"panelIndex\":\"c90b5ced-c476-4336-8248-5f5eee09b7d3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-f7d51ed1-e2c7-4eff-a2f0-426523a27b79\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"f7d51ed1-e2c7-4eff-a2f0-426523a27b79\",\"accessor\":\"bba216ab-0609-4fc7-9f00-3f95df7bd9e5\",\"layerType\":\"data\",\"textAlign\":\"center\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#1E75B6\",\"stop\":300}],\"colorStops\":[{\"color\":\"#1E75B6\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f7d51ed1-e2c7-4eff-a2f0-426523a27b79\":{\"columns\":{\"bba216ab-0609-4fc7-9f00-3f95df7bd9e5\":{\"label\":\"Total\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"bba216ab-0609-4fc7-9f00-3f95df7bd9e5\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":16,\"y\":0,\"w\":8,\"h\":5,\"i\":\"dc864252-a518-4187-80ca-b581ad14f1cb\"},\"panelIndex\":\"dc864252-a518-4187-80ca-b581ad14f1cb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-a63a4df1-6335-4d1e-a8fb-44d550e0513b\",\"type\":\"index-pattern\"},{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"4cd727d8-200d-4869-b702-ff540bd3ff56\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"a63a4df1-6335-4d1e-a8fb-44d550e0513b\",\"accessor\":\"65d5d9ac-208b-4393-b498-12f4351445bd\",\"layerType\":\"data\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#e57488\",\"stop\":8}],\"colorStops\":[{\"color\":\"#e57488\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"textAlign\":\"center\",\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"4cd727d8-200d-4869-b702-ff540bd3ff56\",\"alias\":\"rule.level >= 12\",\"type\":\"custom\",\"key\":\"query\",\"value\":\"{\\\"bool\\\":{\\\"must\\\":[],\\\"filter\\\":[{\\\"bool\\\":{\\\"should\\\":[{\\\"range\\\":{\\\"rule.level\\\":{\\\"gte\\\":\\\"12\\\"}}}],\\\"minimum_should_match\\\":1}}],\\\"should\\\":[],\\\"must_not\\\":[]}}\",\"disabled\":false,\"negate\":false},\"query\":{\"bool\":{\"must\":[],\"filter\":[{\"bool\":{\"should\":[{\"range\":{\"rule.level\":{\"gte\":\"12\"}}}],\"minimum_should_match\":1}}],\"should\":[],\"must_not\":[]}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"a63a4df1-6335-4d1e-a8fb-44d550e0513b\":{\"columns\":{\"65d5d9ac-208b-4393-b498-12f4351445bd\":{\"label\":\"Level 12 or above alerts\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.level >= 12\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"65d5d9ac-208b-4393-b498-12f4351445bd\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":0,\"w\":8,\"h\":5,\"i\":\"4bab10c4-2a6d-4f8f-8094-323581c98950\"},\"panelIndex\":\"4bab10c4-2a6d-4f8f-8094-323581c98950\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-28318134-b7bd-4faa-b21e-b0a6665b526f\",\"type\":\"index-pattern\"},{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"1b7728c2-28d0-40f9-81ed-74e77231242c\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"28318134-b7bd-4faa-b21e-b0a6665b526f\",\"accessor\":\"e1a6a50b-cffe-4c92-b756-bad658aee97d\",\"layerType\":\"data\",\"textAlign\":\"center\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#d4458d\",\"stop\":4}],\"colorStops\":[{\"color\":\"#d4458d\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"1b7728c2-28d0-40f9-81ed-74e77231242c\",\"alias\":\"rule.groups : \\\"authentication_failed\\\" or \\\"win_authentication_failed\\\" or \\\"authentication_failures\\\"\",\"type\":\"custom\",\"key\":\"query\",\"value\":\"{\\\"bool\\\":{\\\"must\\\":[],\\\"filter\\\":[{\\\"bool\\\":{\\\"should\\\":[{\\\"bool\\\":{\\\"should\\\":[{\\\"term\\\":{\\\"rule.groups\\\":\\\"authentication_failed\\\"}}],\\\"minimum_should_match\\\":1}},{\\\"multi_match\\\":{\\\"type\\\":\\\"phrase\\\",\\\"query\\\":\\\"win_authentication_failed\\\",\\\"lenient\\\":true}},{\\\"multi_match\\\":{\\\"type\\\":\\\"phrase\\\",\\\"query\\\":\\\"authentication_failures\\\",\\\"lenient\\\":true}}],\\\"minimum_should_match\\\":1}}],\\\"should\\\":[],\\\"must_not\\\":[]}}\",\"disabled\":false,\"negate\":false},\"query\":{\"bool\":{\"must\":[],\"filter\":[{\"bool\":{\"should\":[{\"bool\":{\"should\":[{\"term\":{\"rule.groups\":\"authentication_failed\"}}],\"minimum_should_match\":1}},{\"multi_match\":{\"type\":\"phrase\",\"query\":\"win_authentication_failed\",\"lenient\":true}},{\"multi_match\":{\"type\":\"phrase\",\"query\":\"authentication_failures\",\"lenient\":true}}],\"minimum_should_match\":1}}],\"should\":[],\"must_not\":[]}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"28318134-b7bd-4faa-b21e-b0a6665b526f\":{\"columns\":{\"e1a6a50b-cffe-4c92-b756-bad658aee97d\":{\"label\":\"Athentication failure\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"rule.groups\",\"isBucketed\":false,\"filter\":{\"query\":\"rule.groups : \\\"authentication_failed\\\" or \\\"win_authentication_failed\\\" or \\\"authentication_failures\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"e1a6a50b-cffe-4c92-b756-bad658aee97d\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":32,\"y\":0,\"w\":8,\"h\":5,\"i\":\"3cc5e7d4-2f44-438e-8529-6dfae4e29b16\"},\"panelIndex\":\"3cc5e7d4-2f44-438e-8529-6dfae4e29b16\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-67c3da39-aad2-4ff4-812f-15cf135b2d12\",\"type\":\"index-pattern\"},{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"933a08d4-fd4c-4829-938c-df17bc87af15\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"67c3da39-aad2-4ff4-812f-15cf135b2d12\",\"accessor\":\"ea00d671-3e3a-434a-8813-1dfa3a023112\",\"layerType\":\"data\",\"textAlign\":\"center\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#1a938a\",\"stop\":2}],\"colorStops\":[{\"color\":\"#1a938a\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"933a08d4-fd4c-4829-938c-df17bc87af15\",\"type\":\"exists\",\"key\":\"rule.groups\",\"value\":\"exists\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{\"exists\":{\"field\":\"rule.groups\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"67c3da39-aad2-4ff4-812f-15cf135b2d12\":{\"columns\":{\"ea00d671-3e3a-434a-8813-1dfa3a023112\":{\"label\":\"Authentication success\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"rule.groups\",\"isBucketed\":false,\"filter\":{\"query\":\"rule.groups: \\\"authentication_success\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"ea00d671-3e3a-434a-8813-1dfa3a023112\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":5,\"w\":32,\"h\":14,\"i\":\"fc1f8b94-2637-4f4d-a998-f6a59c6b9e7e\"},\"panelIndex\":\"fc1f8b94-2637-4f4d-a998-f6a59c6b9e7e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-e8600050-5477-49a7-a28e-ce9a47ded5f5\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"e8600050-5477-49a7-a28e-ce9a47ded5f5\",\"accessors\":[\"8d76d731-1e09-4706-b3d9-48108dd7dd32\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"splitAccessor\":\"3f2d0dea-171c-41ed-9452-29106c10a968\",\"xAccessor\":\"c5296771-93c8-48cb-bf57-cad19d8c829e\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"e8600050-5477-49a7-a28e-ce9a47ded5f5\":{\"columns\":{\"8d76d731-1e09-4706-b3d9-48108dd7dd32\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"c5296771-93c8-48cb-bf57-cad19d8c829e\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}},\"3f2d0dea-171c-41ed-9452-29106c10a968\":{\"label\":\"Top 5 values of agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8d76d731-1e09-4706-b3d9-48108dd7dd32\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"3f2d0dea-171c-41ed-9452-29106c10a968\",\"c5296771-93c8-48cb-bf57-cad19d8c829e\",\"8d76d731-1e09-4706-b3d9-48108dd7dd32\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Alerts evolution - Top 5 agents\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":32,\"y\":5,\"w\":16,\"h\":14,\"i\":\"e35f33d0-784d-471a-842e-576523d0ca80\"},\"panelIndex\":\"e35f33d0-784d-471a-842e-576523d0ca80\",\"embeddableConfig\":{\"attributes\":{\"title\":\"Top Mitre\",\"description\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-d2ef6c07-620f-431e-85f2-77175187e0fe\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"pie\",\"layers\":[{\"layerId\":\"d2ef6c07-620f-431e-85f2-77175187e0fe\",\"primaryGroups\":[\"a676e778-cad9-431e-b520-3e87b3a0afb2\"],\"metrics\":[\"c2640e02-f544-4f25-a0a4-aaec8e9e2f47\"],\"numberDisplay\":\"percent\",\"categoryDisplay\":\"hide\",\"legendDisplay\":\"show\",\"nestedLegend\":false,\"layerType\":\"data\",\"emptySizeRatio\":0.3,\"legendSize\":\"xlarge\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d2ef6c07-620f-431e-85f2-77175187e0fe\":{\"columns\":{\"a676e778-cad9-431e-b520-3e87b3a0afb2\":{\"label\":\"Top 5 values of rule.mitre.tactic\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.mitre.tactic\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"c2640e02-f544-4f25-a0a4-aaec8e9e2f47\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"c2640e02-f544-4f25-a0a4-aaec8e9e2f47\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"a676e778-cad9-431e-b520-3e87b3a0afb2\",\"c2640e02-f544-4f25-a0a4-aaec8e9e2f47\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Top Mitre ATT&K tactics\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":15,\"i\":\"ee6f5f4c-2a18-4733-a593-23c1f2a24376\"},\"panelIndex\":\"ee6f5f4c-2a18-4733-a593-23c1f2a24376\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-f001be29-b6cc-4c99-8aae-5941a7f9a8ee\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"72a21fae-312d-4cbb-8a94-fa24d4b29933\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"884cc56d-feb1-40dd-89a9-e006ec72dd85\"},{\"isTransposed\":false,\"columnId\":\"5333b889-bfc5-4e1a-a4e3-54828d1dd91b\"},{\"isTransposed\":false,\"columnId\":\"b3369c71-8edb-4569-89df-883f23ea2785\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\",\"hidden\":true,\"colorMode\":\"none\"},{\"columnId\":\"6bb85b4f-0834-416d-8ade-49d83caac7ee\",\"isTransposed\":false,\"oneClickFilter\":false},{\"columnId\":\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\",\"isTransposed\":false},{\"columnId\":\"c74264a6-eb65-4232-9444-a503723c6fdf\",\"isTransposed\":false,\"oneClickFilter\":true}],\"layerId\":\"f001be29-b6cc-4c99-8aae-5941a7f9a8ee\",\"layerType\":\"data\",\"headerRowHeight\":\"custom\",\"headerRowHeightLines\":2,\"rowHeight\":\"custom\",\"rowHeightLines\":2,\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f001be29-b6cc-4c99-8aae-5941a7f9a8ee\":{\"columns\":{\"72a21fae-312d-4cbb-8a94-fa24d4b29933\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"884cc56d-feb1-40dd-89a9-e006ec72dd85\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"5333b889-bfc5-4e1a-a4e3-54828d1dd91b\":{\"label\":\"rule.mitre.tactic\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.mitre.tactic\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"b3369c71-8edb-4569-89df-883f23ea2785\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"233f059c-ccd6-4a64-a6be-4961a3c4d500\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"6bb85b4f-0834-416d-8ade-49d83caac7ee\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"}},\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"c74264a6-eb65-4232-9444-a503723c6fdf\":{\"label\":\"rule.mitre.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.mitre.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\",\"72a21fae-312d-4cbb-8a94-fa24d4b29933\",\"c74264a6-eb65-4232-9444-a503723c6fdf\",\"5333b889-bfc5-4e1a-a4e3-54828d1dd91b\",\"884cc56d-feb1-40dd-89a9-e006ec72dd85\",\"6bb85b4f-0834-416d-8ade-49d83caac7ee\",\"b3369c71-8edb-4569-89df-883f23ea2785\",\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Security alerts\"}]","timeRestore":false,"title":"wazuh-security-events-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:37:25.862Z","id":"1002c610-a23f-11ed-9c45-1d7f2cbf4bd8","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"c90b5ced-c476-4336-8248-5f5eee09b7d3:indexpattern-datasource-layer-f7d51ed1-e2c7-4eff-a2f0-426523a27b79","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"dc864252-a518-4187-80ca-b581ad14f1cb:indexpattern-datasource-layer-a63a4df1-6335-4d1e-a8fb-44d550e0513b","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"dc864252-a518-4187-80ca-b581ad14f1cb:4cd727d8-200d-4869-b702-ff540bd3ff56","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"4bab10c4-2a6d-4f8f-8094-323581c98950:indexpattern-datasource-layer-28318134-b7bd-4faa-b21e-b0a6665b526f","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"4bab10c4-2a6d-4f8f-8094-323581c98950:1b7728c2-28d0-40f9-81ed-74e77231242c","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"3cc5e7d4-2f44-438e-8529-6dfae4e29b16:indexpattern-datasource-layer-67c3da39-aad2-4ff4-812f-15cf135b2d12","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"3cc5e7d4-2f44-438e-8529-6dfae4e29b16:933a08d4-fd4c-4829-938c-df17bc87af15","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"fc1f8b94-2637-4f4d-a998-f6a59c6b9e7e:indexpattern-datasource-layer-e8600050-5477-49a7-a28e-ce9a47ded5f5","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"e35f33d0-784d-471a-842e-576523d0ca80:indexpattern-datasource-layer-d2ef6c07-620f-431e-85f2-77175187e0fe","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"ee6f5f4c-2a18-4733-a593-23c1f2a24376:indexpattern-datasource-layer-f001be29-b6cc-4c99-8aae-5941a7f9a8ee","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:37:25.862Z","version":"WzQ3MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":29,\"h\":15,\"i\":\"976e6302-500a-427c-bd29-75cee9034fe6\"},\"panelIndex\":\"976e6302-500a-427c-bd29-75cee9034fe6\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"PCI DSS requirements\",\"description\":\"\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false,\"valueAxis\":\"\"},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{},\"style\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"\"},\"style\":{}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":0,\"showCircles\":true,\"circlesRadius\":10,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"detailedTooltip\":true,\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"addLegend\":true,\"legendPosition\":\"right\",\"fittingFunction\":\"linear\",\"times\":[],\"addTimeMarker\":false,\"truncateLegend\":true,\"maxLegendLines\":1,\"radiusRatio\":9,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"labels\":{}},\"uiState\":{},\"data\":{\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"emptyAsNull\":false},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-10w\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"extendToTimeRange\":false,\"scaleMetricValues\":false,\"interval\":\"auto\",\"used_interval\":\"1d\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.pci_dss\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"includeIsRegex\":true,\"excludeIsRegex\":true},\"schema\":\"group\"}],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":15,\"i\":\"d299d776-0b4f-4955-b7d6-5717119dba59\"},\"panelIndex\":\"d299d776-0b4f-4955-b7d6-5717119dba59\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-c85ec231-a4fc-495d-b8d6-1aad7dc1e489\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"c85ec231-a4fc-495d-b8d6-1aad7dc1e489\",\"accessors\":[\"0ca7b7c5-03fd-401d-bd44-201d8ca00b25\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"e17436ee-06c3-4b4e-acda-f8d379648407\",\"splitAccessor\":\"852bf376-24f0-4b54-8568-0964c3289eb4\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c85ec231-a4fc-495d-b8d6-1aad7dc1e489\":{\"columns\":{\"e17436ee-06c3-4b4e-acda-f8d379648407\":{\"label\":\"Requirements\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.pci_dss\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"0ca7b7c5-03fd-401d-bd44-201d8ca00b25\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"0ca7b7c5-03fd-401d-bd44-201d8ca00b25\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"852bf376-24f0-4b54-8568-0964c3289eb4\":{\"label\":\"Top 5 values of agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"0ca7b7c5-03fd-401d-bd44-201d8ca00b25\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"e17436ee-06c3-4b4e-acda-f8d379648407\",\"852bf376-24f0-4b54-8568-0964c3289eb4\",\"0ca7b7c5-03fd-401d-bd44-201d8ca00b25\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Requirements by agent\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":15,\"w\":48,\"h\":17,\"i\":\"f3674cc2-b4c6-44e1-baa9-6dcb9b932a01\"},\"panelIndex\":\"f3674cc2-b4c6-44e1-baa9-6dcb9b932a01\",\"embeddableConfig\":{\"attributes\":{\"title\":\"PCI DSS\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-951964d6-a0d3-4593-911f-b598f1bdd7a6\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"951964d6-a0d3-4593-911f-b598f1bdd7a6\",\"layerType\":\"data\",\"columns\":[{\"isTransposed\":false,\"columnId\":\"27ae8c68-e64e-4824-9422-df1611b74c58\"},{\"isTransposed\":false,\"columnId\":\"30508bd4-917e-4614-9922-c445af8e8a8f\"},{\"isTransposed\":false,\"columnId\":\"7044d45a-dce5-4fbe-8af4-64a9b1e14840\"},{\"isTransposed\":false,\"columnId\":\"49885e99-2da3-4165-9b20-9d78ccaca4bd\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"df70835d-3cfb-4ead-a942-d60c00330c30\"},{\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\",\"isTransposed\":false,\"hidden\":true},{\"columnId\":\"f96a237b-410c-475c-863e-60acde29fc71\",\"isTransposed\":false,\"oneClickFilter\":true}],\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"951964d6-a0d3-4593-911f-b598f1bdd7a6\":{\"columns\":{\"27ae8c68-e64e-4824-9422-df1611b74c58\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"30508bd4-917e-4614-9922-c445af8e8a8f\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"7044d45a-dce5-4fbe-8af4-64a9b1e14840\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"49885e99-2da3-4165-9b20-9d78ccaca4bd\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"df70835d-3cfb-4ead-a942-d60c00330c30\":{\"label\":\"rule.pci_dss\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.pci_dss\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"f96a237b-410c-475c-863e-60acde29fc71\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"7044d45a-dce5-4fbe-8af4-64a9b1e14840\",\"49885e99-2da3-4165-9b20-9d78ccaca4bd\",\"df70835d-3cfb-4ead-a942-d60c00330c30\",\"27ae8c68-e64e-4824-9422-df1611b74c58\",\"30508bd4-917e-4614-9922-c445af8e8a8f\",\"f96a237b-410c-475c-863e-60acde29fc71\",\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Recent events\"}]","timeRestore":false,"title":"wazuh-pci-dss-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:37:10.201Z","id":"ad09bc40-a634-11ed-8b0e-91d62e747cc9","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"976e6302-500a-427c-bd29-75cee9034fe6:kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"d299d776-0b4f-4955-b7d6-5717119dba59:indexpattern-datasource-layer-c85ec231-a4fc-495d-b8d6-1aad7dc1e489","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"f3674cc2-b4c6-44e1-baa9-6dcb9b932a01:indexpattern-datasource-layer-951964d6-a0d3-4593-911f-b598f1bdd7a6","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:37:10.201Z","version":"WzQ2NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":18,\"h\":13,\"i\":\"847a1b06-c15d-41a2-9a08-73b056e959fb\"},\"panelIndex\":\"847a1b06-c15d-41a2-9a08-73b056e959fb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-0c3e7889-e551-4507-bb13-1a4ff7d96f96\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"curveType\":\"LINEAR\",\"fillOpacity\":1,\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"area_stacked\",\"layers\":[{\"layerId\":\"0c3e7889-e551-4507-bb13-1a4ff7d96f96\",\"accessors\":[\"9b7ab5ea-5a4d-4fc1-a493-861ed613bfdb\"],\"position\":\"top\",\"seriesType\":\"area_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"f4e6f4ad-fca2-4012-9dc4-a34df1d4a5ec\",\"yConfig\":[{\"forAccessor\":\"9b7ab5ea-5a4d-4fc1-a493-861ed613bfdb\",\"color\":\"#40d4e0\"}]}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"0c3e7889-e551-4507-bb13-1a4ff7d96f96\":{\"columns\":{\"f4e6f4ad-fca2-4012-9dc4-a34df1d4a5ec\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"9b7ab5ea-5a4d-4fc1-a493-861ed613bfdb\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.groups : \\\"rootcheck\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"f4e6f4ad-fca2-4012-9dc4-a34df1d4a5ec\",\"9b7ab5ea-5a4d-4fc1-a493-861ed613bfdb\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Emotet malware activity\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":18,\"y\":0,\"w\":30,\"h\":13,\"i\":\"cc5ad74e-c871-4ac3-9487-328adc286921\"},\"panelIndex\":\"cc5ad74e-c871-4ac3-9487-328adc286921\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-5ccb00b3-1675-4c9f-a542-927c5930e66e\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"5ccb00b3-1675-4c9f-a542-927c5930e66e\",\"accessors\":[\"f001735e-ca2b-455d-a50a-b7f44b005f0b\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"b662da8a-50ee-4dae-a2bb-25861753d95c\",\"splitAccessor\":\"52edc505-8c8a-4965-a3f3-46ca861738af\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"5ccb00b3-1675-4c9f-a542-927c5930e66e\":{\"columns\":{\"52edc505-8c8a-4965-a3f3-46ca861738af\":{\"label\":\"Top 5 values of data.title\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.title\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f001735e-ca2b-455d-a50a-b7f44b005f0b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]}},\"b662da8a-50ee-4dae-a2bb-25861753d95c\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"f001735e-ca2b-455d-a50a-b7f44b005f0b\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.groups : \\\"rootcheck\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"52edc505-8c8a-4965-a3f3-46ca861738af\",\"b662da8a-50ee-4dae-a2bb-25861753d95c\",\"f001735e-ca2b-455d-a50a-b7f44b005f0b\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Rootkits activity over time\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":21,\"i\":\"e3873842-502a-4ba4-a3ab-d5bcdc9d908c\"},\"panelIndex\":\"e3873842-502a-4ba4-a3ab-d5bcdc9d908c\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-777017d9-58d0-4f3f-8461-64af784d41a4\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"56e30fec-0d21-4af5-9751-7630c08713e8\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"94ca03f4-c063-4be7-b4c1-007c8a6d271a\"},{\"isTransposed\":false,\"columnId\":\"1169cee0-a32f-48d2-8e12-2919736d710a\"},{\"isTransposed\":false,\"columnId\":\"23107287-fb86-49ea-bdea-79d55b5e7ea4\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"125edb0b-de81-41b8-9612-1d87188e2b12\"},{\"isTransposed\":false,\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\",\"hidden\":true},{\"columnId\":\"694278f2-f767-4450-90f5-4a95905e989f\",\"isTransposed\":false},{\"columnId\":\"1073b1b6-aa33-4e11-841b-0b6459a56603\",\"isTransposed\":false}],\"layerId\":\"777017d9-58d0-4f3f-8461-64af784d41a4\",\"layerType\":\"data\",\"headerRowHeight\":\"custom\",\"headerRowHeightLines\":2,\"rowHeight\":\"custom\",\"rowHeightLines\":2,\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"777017d9-58d0-4f3f-8461-64af784d41a4\":{\"columns\":{\"56e30fec-0d21-4af5-9751-7630c08713e8\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"94ca03f4-c063-4be7-b4c1-007c8a6d271a\":{\"label\":\"rule.mitre.technique\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.mitre.technique\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"1169cee0-a32f-48d2-8e12-2919736d710a\":{\"label\":\"rule.mitre.tactic\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.mitre.tactic\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"23107287-fb86-49ea-bdea-79d55b5e7ea4\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"125edb0b-de81-41b8-9612-1d87188e2b12\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"a1caa30b-78e1-493d-bb05-f29242d47609\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.groups : \\\"rootcheck\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"694278f2-f767-4450-90f5-4a95905e989f\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"1073b1b6-aa33-4e11-841b-0b6459a56603\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"694278f2-f767-4450-90f5-4a95905e989f\",\"56e30fec-0d21-4af5-9751-7630c08713e8\",\"94ca03f4-c063-4be7-b4c1-007c8a6d271a\",\"1169cee0-a32f-48d2-8e12-2919736d710a\",\"1073b1b6-aa33-4e11-841b-0b6459a56603\",\"23107287-fb86-49ea-bdea-79d55b5e7ea4\",\"125edb0b-de81-41b8-9612-1d87188e2b12\",\"a1caa30b-78e1-493d-bb05-f29242d47609\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Security alerts\"}]","timeRestore":false,"title":"wazuh-malware-detection-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:36:31.797Z","id":"f9bb41b0-a3cf-11ed-9187-5147a2b9eedf","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"847a1b06-c15d-41a2-9a08-73b056e959fb:indexpattern-datasource-layer-0c3e7889-e551-4507-bb13-1a4ff7d96f96","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"cc5ad74e-c871-4ac3-9487-328adc286921:indexpattern-datasource-layer-5ccb00b3-1675-4c9f-a542-927c5930e66e","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"e3873842-502a-4ba4-a3ab-d5bcdc9d908c:indexpattern-datasource-layer-777017d9-58d0-4f3f-8461-64af784d41a4","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:36:31.797Z","version":"WzQwNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":15,\"h\":13,\"i\":\"caf3fb07-a3b0-4f51-b000-926f4b26ee4f\"},\"panelIndex\":\"caf3fb07-a3b0-4f51-b000-926f4b26ee4f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-3ef3cbb5-abf3-4697-9e38-f4cf60bcdd5d\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"3ef3cbb5-abf3-4697-9e38-f4cf60bcdd5d\",\"primaryGroups\":[\"ccea2153-9f5c-4f65-9346-1feceb3783eb\"],\"metrics\":[\"06ae1d26-0a3a-4f59-b5bd-8cb93b640f86\"],\"numberDisplay\":\"hidden\",\"categoryDisplay\":\"hide\",\"legendDisplay\":\"show\",\"nestedLegend\":false,\"layerType\":\"data\",\"emptySizeRatio\":0.7,\"legendSize\":\"large\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"3ef3cbb5-abf3-4697-9e38-f4cf60bcdd5d\":{\"columns\":{\"06ae1d26-0a3a-4f59-b5bd-8cb93b640f86\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"filter\":{\"query\":\"\",\"language\":\"kuery\"}},\"ccea2153-9f5c-4f65-9346-1feceb3783eb\":{\"label\":\"Top 5 values of rule.groups\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.groups\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"06ae1d26-0a3a-4f59-b5bd-8cb93b640f86\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"ccea2153-9f5c-4f65-9346-1feceb3783eb\",\"06ae1d26-0a3a-4f59-b5bd-8cb93b640f86\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Alert groups\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":0,\"w\":33,\"h\":13,\"i\":\"115417e6-11a1-4a55-8055-220b69dad98e\"},\"panelIndex\":\"115417e6-11a1-4a55-8055-220b69dad98e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-54e72470-df75-47d1-a7a6-3d2f807a39d1\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":false,\"position\":\"right\",\"showSingleSeries\":false},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"54e72470-df75-47d1-a7a6-3d2f807a39d1\",\"accessors\":[\"db53a2e0-d936-4f7c-86bb-fc4e20810e64\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"f518cf1a-0d1d-44c7-97a0-12c5cd840e14\",\"splitAccessor\":\"a195fccb-9268-453a-b824-54f1e3f72d12\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"54e72470-df75-47d1-a7a6-3d2f807a39d1\":{\"columns\":{\"a195fccb-9268-453a-b824-54f1e3f72d12\":{\"label\":\"Top 5 values of rule.groups\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.groups\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"db53a2e0-d936-4f7c-86bb-fc4e20810e64\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"f518cf1a-0d1d-44c7-97a0-12c5cd840e14\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"db53a2e0-d936-4f7c-86bb-fc4e20810e64\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.groups : \\\"audit\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"a195fccb-9268-453a-b824-54f1e3f72d12\",\"f518cf1a-0d1d-44c7-97a0-12c5cd840e14\",\"db53a2e0-d936-4f7c-86bb-fc4e20810e64\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Events\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":13,\"i\":\"edc2487b-0a85-4975-b841-457471ee5cd0\"},\"panelIndex\":\"edc2487b-0a85-4975-b841-457471ee5cd0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-f001be29-b6cc-4c99-8aae-5941a7f9a8ee\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"5f8c9137-f9b6-4074-ba6c-9fa777b6afdf\"},{\"columnId\":\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\",\"isTransposed\":false},{\"isTransposed\":false,\"columnId\":\"72a21fae-312d-4cbb-8a94-fa24d4b29933\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"884cc56d-feb1-40dd-89a9-e006ec72dd85\"},{\"columnId\":\"6bb85b4f-0834-416d-8ade-49d83caac7ee\",\"isTransposed\":false,\"oneClickFilter\":false},{\"isTransposed\":false,\"columnId\":\"b3369c71-8edb-4569-89df-883f23ea2785\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\",\"hidden\":true,\"colorMode\":\"none\"}],\"layerId\":\"f001be29-b6cc-4c99-8aae-5941a7f9a8ee\",\"layerType\":\"data\",\"headerRowHeight\":\"custom\",\"headerRowHeightLines\":2,\"rowHeight\":\"custom\",\"rowHeightLines\":2,\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f001be29-b6cc-4c99-8aae-5941a7f9a8ee\":{\"columns\":{\"5f8c9137-f9b6-4074-ba6c-9fa777b6afdf\":{\"label\":\"rule.groups\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.groups\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"72a21fae-312d-4cbb-8a94-fa24d4b29933\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"884cc56d-feb1-40dd-89a9-e006ec72dd85\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"6bb85b4f-0834-416d-8ade-49d83caac7ee\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"}},\"b3369c71-8edb-4569-89df-883f23ea2785\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"233f059c-ccd6-4a64-a6be-4961a3c4d500\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\",\"72a21fae-312d-4cbb-8a94-fa24d4b29933\",\"5f8c9137-f9b6-4074-ba6c-9fa777b6afdf\",\"884cc56d-feb1-40dd-89a9-e006ec72dd85\",\"6bb85b4f-0834-416d-8ade-49d83caac7ee\",\"b3369c71-8edb-4569-89df-883f23ea2785\",\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":true},\"title\":\"Security alerts\"}]","timeRestore":false,"title":"wazuh-incident-response-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:36:14.435Z","id":"e30257a0-a641-11ed-8b0e-91d62e747cc9","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"caf3fb07-a3b0-4f51-b000-926f4b26ee4f:indexpattern-datasource-layer-3ef3cbb5-abf3-4697-9e38-f4cf60bcdd5d","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"115417e6-11a1-4a55-8055-220b69dad98e:indexpattern-datasource-layer-54e72470-df75-47d1-a7a6-3d2f807a39d1","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"edc2487b-0a85-4975-b841-457471ee5cd0:indexpattern-datasource-layer-f001be29-b6cc-4c99-8aae-5941a7f9a8ee","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:36:14.435Z","version":"WzQwMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":12,\"i\":\"9c90478b-ef8d-4f0a-89ea-7cac2fb2b631\"},\"panelIndex\":\"9c90478b-ef8d-4f0a-89ea-7cac2fb2b631\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-b9d91550-4d81-4724-926b-368cbac70c5c\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"b9d91550-4d81-4724-926b-368cbac70c5c\",\"primaryGroups\":[\"393155df-15ed-400b-bef4-be554873a6c6\"],\"metrics\":[\"bc0afca3-aed2-4b22-970c-c91ac3e2bc02\"],\"numberDisplay\":\"percent\",\"categoryDisplay\":\"hide\",\"legendDisplay\":\"show\",\"nestedLegend\":false,\"layerType\":\"data\",\"emptySizeRatio\":0.7}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"b9d91550-4d81-4724-926b-368cbac70c5c\":{\"columns\":{\"393155df-15ed-400b-bef4-be554873a6c6\":{\"label\":\"Top 5 values of data.docker.Action\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.docker.Action\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"bc0afca3-aed2-4b22-970c-c91ac3e2bc02\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"bc0afca3-aed2-4b22-970c-c91ac3e2bc02\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"393155df-15ed-400b-bef4-be554873a6c6\",\"bc0afca3-aed2-4b22-970c-c91ac3e2bc02\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Top 5 events\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":14,\"y\":0,\"w\":34,\"h\":12,\"i\":\"ec92f542-1336-4a92-90e6-548fa7a78db6\"},\"panelIndex\":\"ec92f542-1336-4a92-90e6-548fa7a78db6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-45315f08-c693-4bdc-aa72-8546f280b2b2\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"45315f08-c693-4bdc-aa72-8546f280b2b2\",\"accessors\":[\"69651d63-8697-41d8-b639-5d77e806c90a\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"93ae869a-82d8-4825-9391-568728d510a7\",\"splitAccessor\":\"588460de-4d21-471e-922f-0b59d3ec977f\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"45315f08-c693-4bdc-aa72-8546f280b2b2\":{\"columns\":{\"93ae869a-82d8-4825-9391-568728d510a7\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"69651d63-8697-41d8-b639-5d77e806c90a\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"588460de-4d21-471e-922f-0b59d3ec977f\":{\"label\":\"Top 3 values of data.docker.Type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.docker.Type\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"69651d63-8697-41d8-b639-5d77e806c90a\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"588460de-4d21-471e-922f-0b59d3ec977f\",\"93ae869a-82d8-4825-9391-568728d510a7\",\"69651d63-8697-41d8-b639-5d77e806c90a\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Events by source over time\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":12,\"w\":48,\"h\":37,\"i\":\"cac9a63e-4892-4879-bd94-210fd3b5b3d0\"},\"panelIndex\":\"cac9a63e-4892-4879-bd94-210fd3b5b3d0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-c51272e9-4ceb-4095-a2a2-7d27d957fc4e\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"1cedf71d-5da2-423a-8108-0d28190dc1f2\",\"isTransposed\":false},{\"columnId\":\"09e332ce-350b-499a-8df5-9b15ed375c20\",\"isTransposed\":false,\"oneClickFilter\":true},{\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\",\"isTransposed\":false,\"hidden\":true},{\"columnId\":\"655b8229-82ac-4302-a97c-a5b1778f22f9\",\"isTransposed\":false},{\"columnId\":\"c47bc042-54fd-4134-9cec-05f36c5c95e0\",\"isTransposed\":false},{\"columnId\":\"1bef96c9-5098-47db-9d76-2eba9c1cfd33\",\"isTransposed\":false},{\"columnId\":\"a61f2679-de38-4a5d-b105-dab5d341a400\",\"isTransposed\":false},{\"columnId\":\"f7109d3b-68d4-418c-b4c4-fe451858d375\",\"isTransposed\":false},{\"columnId\":\"28c7593f-f805-4cbd-afed-94dfdbde7d29\",\"isTransposed\":false,\"oneClickFilter\":true}],\"layerId\":\"c51272e9-4ceb-4095-a2a2-7d27d957fc4e\",\"layerType\":\"data\",\"headerRowHeight\":\"custom\",\"headerRowHeightLines\":2,\"rowHeight\":\"custom\",\"rowHeightLines\":2,\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c51272e9-4ceb-4095-a2a2-7d27d957fc4e\":{\"columns\":{\"1cedf71d-5da2-423a-8108-0d28190dc1f2\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"09e332ce-350b-499a-8df5-9b15ed375c20\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"e323b79e-be8f-458d-80b9-100d79e6fc3c\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"655b8229-82ac-4302-a97c-a5b1778f22f9\":{\"label\":\"data.docker.Type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.docker.Type\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"c47bc042-54fd-4134-9cec-05f36c5c95e0\":{\"label\":\"data.docker.Action\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.docker.Action\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"1bef96c9-5098-47db-9d76-2eba9c1cfd33\":{\"label\":\"data.docker.Actor.ID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.docker.Actor.ID\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"a61f2679-de38-4a5d-b105-dab5d341a400\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f7109d3b-68d4-418c-b4c4-fe451858d375\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"}},\"28c7593f-f805-4cbd-afed-94dfdbde7d29\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"1cedf71d-5da2-423a-8108-0d28190dc1f2\",\"09e332ce-350b-499a-8df5-9b15ed375c20\",\"655b8229-82ac-4302-a97c-a5b1778f22f9\",\"1bef96c9-5098-47db-9d76-2eba9c1cfd33\",\"c47bc042-54fd-4134-9cec-05f36c5c95e0\",\"a61f2679-de38-4a5d-b105-dab5d341a400\",\"f7109d3b-68d4-418c-b4c4-fe451858d375\",\"28c7593f-f805-4cbd-afed-94dfdbde7d29\",\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Events\"}]","timeRestore":false,"title":"wazuh-docker-listener-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:35:50.548Z","id":"8359c240-a7cf-11ed-8b0e-91d62e747cc9","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"9c90478b-ef8d-4f0a-89ea-7cac2fb2b631:indexpattern-datasource-layer-b9d91550-4d81-4724-926b-368cbac70c5c","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"ec92f542-1336-4a92-90e6-548fa7a78db6:indexpattern-datasource-layer-45315f08-c693-4bdc-aa72-8546f280b2b2","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"cac9a63e-4892-4879-bd94-210fd3b5b3d0:indexpattern-datasource-layer-c51272e9-4ceb-4095-a2a2-7d27d957fc4e","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:35:50.548Z","version":"WzM5MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":31,\"h\":15,\"i\":\"5177564c-7c79-4412-9c03-99dca92b90d5\"},\"panelIndex\":\"5177564c-7c79-4412-9c03-99dca92b90d5\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-bca83102-e00c-4277-b280-a91ef087536e\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"left\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"curveType\":\"CURVE_MONOTONE_X\",\"fillOpacity\":1,\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"area_stacked\",\"layers\":[{\"layerId\":\"bca83102-e00c-4277-b280-a91ef087536e\",\"accessors\":[\"80ac5cd7-4cfb-4c07-ad75-3cedb6212f18\"],\"position\":\"top\",\"seriesType\":\"area_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"4d2f8c1f-5ce3-449b-b0d7-f1d1989ba49e\",\"splitAccessor\":\"0e534aac-0aaf-4458-8d88-e2575fb2ebb9\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"bca83102-e00c-4277-b280-a91ef087536e\":{\"columns\":{\"0e534aac-0aaf-4458-8d88-e2575fb2ebb9\":{\"label\":\"Top 3 values of data.aws.source\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.aws.source\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"80ac5cd7-4cfb-4c07-ad75-3cedb6212f18\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]}},\"4d2f8c1f-5ce3-449b-b0d7-f1d1989ba49e\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"80ac5cd7-4cfb-4c07-ad75-3cedb6212f18\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.groups : \\\"amazon\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"0e534aac-0aaf-4458-8d88-e2575fb2ebb9\",\"4d2f8c1f-5ce3-449b-b0d7-f1d1989ba49e\",\"80ac5cd7-4cfb-4c07-ad75-3cedb6212f18\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Events by source over time\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":31,\"y\":0,\"w\":17,\"h\":15,\"i\":\"692e518d-0688-414b-92e8-6b2bf1b960dd\"},\"panelIndex\":\"692e518d-0688-414b-92e8-6b2bf1b960dd\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-ecb05aff-bc9d-4ba1-b817-bf4016e0c5ef\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"ecb05aff-bc9d-4ba1-b817-bf4016e0c5ef\",\"primaryGroups\":[\"e81edf81-ce10-496b-8ca9-eb38d5ff2ccb\"],\"metrics\":[\"4a2c1031-e343-427d-b141-b47ccc7a570a\"],\"numberDisplay\":\"hidden\",\"categoryDisplay\":\"hide\",\"legendDisplay\":\"show\",\"nestedLegend\":false,\"layerType\":\"data\",\"emptySizeRatio\":0.7}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"ecb05aff-bc9d-4ba1-b817-bf4016e0c5ef\":{\"columns\":{\"e81edf81-ce10-496b-8ca9-eb38d5ff2ccb\":{\"label\":\"Top 5 values of data.aws.source\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.aws.source\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4a2c1031-e343-427d-b141-b47ccc7a570a\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]}},\"4a2c1031-e343-427d-b141-b47ccc7a570a\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"e81edf81-ce10-496b-8ca9-eb38d5ff2ccb\",\"4a2c1031-e343-427d-b141-b47ccc7a570a\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Sources\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":15,\"w\":48,\"h\":15,\"i\":\"25e0d536-4163-46e6-abd5-5cd45cd9f30a\"},\"panelIndex\":\"25e0d536-4163-46e6-abd5-5cd45cd9f30a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"e\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-c23cdcb3-1e5c-46f0-9ef2-827d9b867cb2\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"8882fc10-f772-4a02-af1f-049b59a04dfd\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"1835ff08-affb-403c-991e-8e642c7a5456\"},{\"isTransposed\":false,\"columnId\":\"6dce6ade-b342-4645-9ff2-228f319d69f7\"},{\"isTransposed\":false,\"columnId\":\"f8266242-342d-4046-8bb5-90efe4839a60\",\"hidden\":true},{\"columnId\":\"06b78908-beb7-4a01-a9b0-b7f9775318d9\",\"isTransposed\":false},{\"columnId\":\"ea992e31-8ea1-4548-8182-da51c911cf21\",\"isTransposed\":false},{\"columnId\":\"a8c6efd9-93b3-4636-96ea-43b359962134\",\"isTransposed\":false,\"oneClickFilter\":true}],\"layerId\":\"c23cdcb3-1e5c-46f0-9ef2-827d9b867cb2\",\"layerType\":\"data\",\"headerRowHeight\":\"custom\",\"headerRowHeightLines\":2,\"rowHeight\":\"custom\",\"rowHeightLines\":2,\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c23cdcb3-1e5c-46f0-9ef2-827d9b867cb2\":{\"columns\":{\"8882fc10-f772-4a02-af1f-049b59a04dfd\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f8266242-342d-4046-8bb5-90efe4839a60\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"1835ff08-affb-403c-991e-8e642c7a5456\":{\"label\":\"data.aws.source\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.aws.source\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f8266242-342d-4046-8bb5-90efe4839a60\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"6dce6ade-b342-4645-9ff2-228f319d69f7\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"f8266242-342d-4046-8bb5-90efe4839a60\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"06b78908-beb7-4a01-a9b0-b7f9775318d9\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f8266242-342d-4046-8bb5-90efe4839a60\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"ea992e31-8ea1-4548-8182-da51c911cf21\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"}},\"a8c6efd9-93b3-4636-96ea-43b359962134\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f8266242-342d-4046-8bb5-90efe4839a60\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"6dce6ade-b342-4645-9ff2-228f319d69f7\",\"8882fc10-f772-4a02-af1f-049b59a04dfd\",\"1835ff08-affb-403c-991e-8e642c7a5456\",\"06b78908-beb7-4a01-a9b0-b7f9775318d9\",\"ea992e31-8ea1-4548-8182-da51c911cf21\",\"a8c6efd9-93b3-4636-96ea-43b359962134\",\"f8266242-342d-4046-8bb5-90efe4839a60\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Events\"}]","timeRestore":false,"title":"wazuh-amazon-aws-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:35:30.916Z","id":"ff5626e0-a63f-11ed-8b0e-91d62e747cc9","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"5177564c-7c79-4412-9c03-99dca92b90d5:indexpattern-datasource-layer-bca83102-e00c-4277-b280-a91ef087536e","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"692e518d-0688-414b-92e8-6b2bf1b960dd:indexpattern-datasource-layer-ecb05aff-bc9d-4ba1-b817-bf4016e0c5ef","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"25e0d536-4163-46e6-abd5-5cd45cd9f30a:indexpattern-datasource-layer-c23cdcb3-1e5c-46f0-9ef2-827d9b867cb2","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:35:30.916Z","version":"WzM1OCwxXQ=="} -{"excludedObjects":[],"excludedObjectsCount":0,"exportedCount":8,"missingRefCount":0,"missingReferences":[]} \ No newline at end of file diff --git a/integrations/elastic/logstash/pipeline/es_template.json b/integrations/elastic/logstash/pipeline/es_template.json deleted file mode 100644 index 050034e58ccd2..0000000000000 --- a/integrations/elastic/logstash/pipeline/es_template.json +++ /dev/null @@ -1,2042 +0,0 @@ -{ - "index_patterns": [ - "wazuh-alerts-4.x-*", - "wazuh-archives-4.x-*" - ], - "template": { - "settings": { - "index": { - "routing": { - "allocation": { - "include": { - "_tier_preference": "data_content" - } - } - }, - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "refresh_interval": "5s", - "number_of_shards": "3", - "auto_expand_replicas": "0-1", - "query": { - "default_field": [ - "GeoLocation.city_name", - "GeoLocation.continent_code", - "GeoLocation.country_code2", - "GeoLocation.country_code3", - "GeoLocation.country_name", - "GeoLocation.ip", - "GeoLocation.postal_code", - "GeoLocation.real_region_name", - "GeoLocation.region_name", - "GeoLocation.timezone", - "agent.id", - "agent.ip", - "agent.name", - "cluster.name", - "cluster.node", - "command", - "data", - "data.action", - "data.audit", - "data.audit.acct", - "data.audit.arch", - "data.audit.auid", - "data.audit.command", - "data.audit.cwd", - "data.audit.dev", - "data.audit.directory.inode", - "data.audit.directory.mode", - "data.audit.directory.name", - "data.audit.egid", - "data.audit.enforcing", - "data.audit.euid", - "data.audit.exe", - "data.audit.execve.a0", - "data.audit.execve.a1", - "data.audit.execve.a2", - "data.audit.execve.a3", - "data.audit.exit", - "data.audit.file.inode", - "data.audit.file.mode", - "data.audit.file.name", - "data.audit.fsgid", - "data.audit.fsuid", - "data.audit.gid", - "data.audit.id", - "data.audit.key", - "data.audit.list", - "data.audit.old-auid", - "data.audit.old-ses", - "data.audit.old_enforcing", - "data.audit.old_prom", - "data.audit.op", - "data.audit.pid", - "data.audit.ppid", - "data.audit.prom", - "data.audit.res", - "data.audit.session", - "data.audit.sgid", - "data.audit.srcip", - "data.audit.subj", - "data.audit.success", - "data.audit.suid", - "data.audit.syscall", - "data.audit.tty", - "data.audit.uid", - "data.aws.accountId", - "data.aws.account_id", - "data.aws.action", - "data.aws.actor", - "data.aws.aws_account_id", - "data.aws.description", - "data.aws.dstport", - "data.aws.errorCode", - "data.aws.errorMessage", - "data.aws.eventID", - "data.aws.eventName", - "data.aws.eventSource", - "data.aws.eventType", - "data.aws.id", - "data.aws.name", - "data.aws.requestParameters.accessKeyId", - "data.aws.requestParameters.bucketName", - "data.aws.requestParameters.gatewayId", - "data.aws.requestParameters.groupDescription", - "data.aws.requestParameters.groupId", - "data.aws.requestParameters.groupName", - "data.aws.requestParameters.host", - "data.aws.requestParameters.hostedZoneId", - "data.aws.requestParameters.instanceId", - "data.aws.requestParameters.instanceProfileName", - "data.aws.requestParameters.loadBalancerName", - "data.aws.requestParameters.loadBalancerPorts", - "data.aws.requestParameters.masterUserPassword", - "data.aws.requestParameters.masterUsername", - "data.aws.requestParameters.name", - "data.aws.requestParameters.natGatewayId", - "data.aws.requestParameters.networkAclId", - "data.aws.requestParameters.path", - "data.aws.requestParameters.policyName", - "data.aws.requestParameters.port", - "data.aws.requestParameters.stackId", - "data.aws.requestParameters.stackName", - "data.aws.requestParameters.subnetId", - "data.aws.requestParameters.subnetIds", - "data.aws.requestParameters.volumeId", - "data.aws.requestParameters.vpcId", - "data.aws.resource.accessKeyDetails.accessKeyId", - "data.aws.resource.accessKeyDetails.principalId", - "data.aws.resource.accessKeyDetails.userName", - "data.aws.resource.instanceDetails.instanceId", - "data.aws.resource.instanceDetails.instanceState", - "data.aws.resource.instanceDetails.networkInterfaces.privateDnsName", - "data.aws.resource.instanceDetails.networkInterfaces.publicDnsName", - "data.aws.resource.instanceDetails.networkInterfaces.subnetId", - "data.aws.resource.instanceDetails.networkInterfaces.vpcId", - "data.aws.resource.instanceDetails.tags.value", - "data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId", - "data.aws.responseElements.description", - "data.aws.responseElements.instanceId", - "data.aws.responseElements.instances.instanceId", - "data.aws.responseElements.instancesSet.items.instanceId", - "data.aws.responseElements.listeners.port", - "data.aws.responseElements.loadBalancerName", - "data.aws.responseElements.loadBalancers.vpcId", - "data.aws.responseElements.loginProfile.userName", - "data.aws.responseElements.networkAcl.vpcId", - "data.aws.responseElements.ownerId", - "data.aws.responseElements.publicIp", - "data.aws.responseElements.user.userId", - "data.aws.responseElements.user.userName", - "data.aws.responseElements.volumeId", - "data.aws.service.serviceName", - "data.aws.severity", - "data.aws.source", - "data.aws.sourceIPAddress", - "data.aws.srcport", - "data.aws.userIdentity.accessKeyId", - "data.aws.userIdentity.accountId", - "data.aws.userIdentity.userName", - "data.aws.vpcEndpointId", - "data.command", - "data.data", - "data.docker.Actor.Attributes.container", - "data.docker.Actor.Attributes.image", - "data.docker.Actor.Attributes.name", - "data.docker.Actor.ID", - "data.docker.id", - "data.docker.message", - "data.docker.status", - "data.dstip", - "data.dstport", - "data.dstuser", - "data.extra_data", - "data.hardware.serial", - "data.id", - "data.integration", - "data.netinfo.iface.adapter", - "data.netinfo.iface.ipv4.address", - "data.netinfo.iface.ipv6.address", - "data.netinfo.iface.mac", - "data.netinfo.iface.name", - "data.os.architecture", - "data.os.build", - "data.os.codename", - "data.os.hostname", - "data.os.major", - "data.os.minor", - "data.os.name", - "data.os.platform", - "data.os.release", - "data.os.release_version", - "data.os.sysname", - "data.os.version", - "data.oscap.check.description", - "data.oscap.check.id", - "data.oscap.check.identifiers", - "data.oscap.check.oval.id", - "data.oscap.check.rationale", - "data.oscap.check.references", - "data.oscap.check.result", - "data.oscap.check.severity", - "data.oscap.check.title", - "data.oscap.scan.benchmark.id", - "data.oscap.scan.content", - "data.oscap.scan.id", - "data.oscap.scan.profile.id", - "data.oscap.scan.profile.title", - "data.osquery.columns.address", - "data.osquery.columns.command", - "data.osquery.columns.description", - "data.osquery.columns.dst_ip", - "data.osquery.columns.gid", - "data.osquery.columns.hostname", - "data.osquery.columns.md5", - "data.osquery.columns.path", - "data.osquery.columns.sha1", - "data.osquery.columns.sha256", - "data.osquery.columns.src_ip", - "data.osquery.columns.user", - "data.osquery.columns.username", - "data.osquery.name", - "data.osquery.pack", - "data.port.process", - "data.port.protocol", - "data.port.state", - "data.process.args", - "data.process.cmd", - "data.process.egroup", - "data.process.euser", - "data.process.fgroup", - "data.process.name", - "data.process.rgroup", - "data.process.ruser", - "data.process.sgroup", - "data.process.state", - "data.process.suser", - "data.program.architecture", - "data.program.description", - "data.program.format", - "data.program.location", - "data.program.multiarch", - "data.program.name", - "data.program.priority", - "data.program.section", - "data.program.source", - "data.program.vendor", - "data.program.version", - "data.protocol", - "data.pwd", - "data.sca", - "data.sca.check.compliance.cis", - "data.sca.check.compliance.cis_csc", - "data.sca.check.compliance.pci_dss", - "data.sca.check.compliance.hipaa", - "data.sca.check.compliance.nist_800_53", - "data.sca.check.description", - "data.sca.check.directory", - "data.sca.check.file", - "data.sca.check.id", - "data.sca.check.previous_result", - "data.sca.check.process", - "data.sca.check.rationale", - "data.sca.check.reason", - "data.sca.check.references", - "data.sca.check.registry", - "data.sca.check.remediation", - "data.sca.check.result", - "data.sca.check.status", - "data.sca.check.title", - "data.sca.description", - "data.sca.file", - "data.sca.invalid", - "data.sca.name", - "data.sca.policy", - "data.sca.policy_id", - "data.sca.scan_id", - "data.sca.total_checks", - "data.script", - "data.src_ip", - "data.src_port", - "data.srcip", - "data.srcport", - "data.srcuser", - "data.status", - "data.system_name", - "data.title", - "data.tty", - "data.uid", - "data.url", - "data.virustotal.description", - "data.virustotal.error", - "data.virustotal.found", - "data.virustotal.permalink", - "data.virustotal.scan_date", - "data.virustotal.sha1", - "data.virustotal.source.alert_id", - "data.virustotal.source.file", - "data.virustotal.source.md5", - "data.virustotal.source.sha1", - "data.vulnerability.cve", - "data.vulnerability.cvss.cvss2.base_score", - "data.vulnerability.cvss.cvss2.exploitability_score", - "data.vulnerability.cvss.cvss2.impact_score", - "data.vulnerability.cvss.cvss2.vector.access_complexity", - "data.vulnerability.cvss.cvss2.vector.attack_vector", - "data.vulnerability.cvss.cvss2.vector.authentication", - "data.vulnerability.cvss.cvss2.vector.availability", - "data.vulnerability.cvss.cvss2.vector.confidentiality_impact", - "data.vulnerability.cvss.cvss2.vector.integrity_impact", - "data.vulnerability.cvss.cvss2.vector.privileges_required", - "data.vulnerability.cvss.cvss2.vector.scope", - "data.vulnerability.cvss.cvss2.vector.user_interaction", - "data.vulnerability.cvss.cvss3.base_score", - "data.vulnerability.cvss.cvss3.exploitability_score", - "data.vulnerability.cvss.cvss3.impact_score", - "data.vulnerability.cvss.cvss3.vector.access_complexity", - "data.vulnerability.cvss.cvss3.vector.attack_vector", - "data.vulnerability.cvss.cvss3.vector.authentication", - "data.vulnerability.cvss.cvss3.vector.availability", - "data.vulnerability.cvss.cvss3.vector.confidentiality_impact", - "data.vulnerability.cvss.cvss3.vector.integrity_impact", - "data.vulnerability.cvss.cvss3.vector.privileges_required", - "data.vulnerability.cvss.cvss3.vector.scope", - "data.vulnerability.cvss.cvss3.vector.user_interaction", - "data.vulnerability.cwe_reference", - "data.vulnerability.package.source", - "data.vulnerability.package.architecture", - "data.vulnerability.package.condition", - "data.vulnerability.package.generated_cpe", - "data.vulnerability.package.name", - "data.vulnerability.package.version", - "data.vulnerability.rationale", - "data.vulnerability.severity", - "data.vulnerability.title", - "data.vulnerability.assigner", - "data.vulnerability.cve_version", - "data.win.eventdata.auditPolicyChanges", - "data.win.eventdata.auditPolicyChangesId", - "data.win.eventdata.binary", - "data.win.eventdata.category", - "data.win.eventdata.categoryId", - "data.win.eventdata.data", - "data.win.eventdata.image", - "data.win.eventdata.ipAddress", - "data.win.eventdata.ipPort", - "data.win.eventdata.keyName", - "data.win.eventdata.logonGuid", - "data.win.eventdata.logonProcessName", - "data.win.eventdata.operation", - "data.win.eventdata.parentImage", - "data.win.eventdata.processId", - "data.win.eventdata.processName", - "data.win.eventdata.providerName", - "data.win.eventdata.returnCode", - "data.win.eventdata.service", - "data.win.eventdata.status", - "data.win.eventdata.subcategory", - "data.win.eventdata.subcategoryGuid", - "data.win.eventdata.subcategoryId", - "data.win.eventdata.subjectDomainName", - "data.win.eventdata.subjectLogonId", - "data.win.eventdata.subjectUserName", - "data.win.eventdata.subjectUserSid", - "data.win.eventdata.targetDomainName", - "data.win.eventdata.targetLinkedLogonId", - "data.win.eventdata.targetLogonId", - "data.win.eventdata.targetUserName", - "data.win.eventdata.targetUserSid", - "data.win.eventdata.workstationName", - "data.win.system.channel", - "data.win.system.computer", - "data.win.system.eventID", - "data.win.system.eventRecordID", - "data.win.system.eventSourceName", - "data.win.system.keywords", - "data.win.system.level", - "data.win.system.message", - "data.win.system.opcode", - "data.win.system.processID", - "data.win.system.providerGuid", - "data.win.system.providerName", - "data.win.system.securityUserID", - "data.win.system.severityValue", - "data.win.system.userID", - "decoder.ftscomment", - "decoder.name", - "decoder.parent", - "full_log", - "host", - "id", - "input", - "location", - "manager.name", - "message", - "offset", - "predecoder.hostname", - "predecoder.program_name", - "previous_log", - "previous_output", - "program_name", - "rule.cis", - "rule.cve", - "rule.description", - "rule.gdpr", - "rule.gpg13", - "rule.groups", - "rule.id", - "rule.info", - "rule.mitre.id", - "rule.mitre.tactic", - "rule.mitre.technique", - "rule.pci_dss", - "rule.hipaa", - "rule.nist_800_53", - "syscheck.audit.effective_user.id", - "syscheck.audit.effective_user.name", - "syscheck.audit.group.id", - "syscheck.audit.group.name", - "syscheck.audit.login_user.id", - "syscheck.audit.login_user.name", - "syscheck.audit.process.id", - "syscheck.audit.process.name", - "syscheck.audit.process.ppid", - "syscheck.audit.user.id", - "syscheck.audit.user.name", - "syscheck.diff", - "syscheck.event", - "syscheck.gid_after", - "syscheck.gid_before", - "syscheck.gname_after", - "syscheck.gname_before", - "syscheck.inode_after", - "syscheck.inode_before", - "syscheck.md5_after", - "syscheck.md5_before", - "syscheck.path", - "syscheck.mode", - "syscheck.perm_after", - "syscheck.perm_before", - "syscheck.sha1_after", - "syscheck.sha1_before", - "syscheck.sha256_after", - "syscheck.sha256_before", - "syscheck.tags", - "syscheck.uid_after", - "syscheck.uid_before", - "syscheck.uname_after", - "syscheck.uname_before", - "title", - "type" - ] - }, - "number_of_replicas": "0" - } - }, - "mappings": { - "dynamic_templates": [ - { - "string_as_keyword": { - "match_mapping_type": "string", - "mapping": { - "type": "keyword" - } - } - } - ], - "date_detection": false, - "properties": { - "@timestamp": { - "type": "date" - }, - "@version": { - "type": "text" - }, - "GeoLocation": { - "properties": { - "area_code": { - "type": "long" - }, - "city_name": { - "type": "keyword" - }, - "continent_code": { - "type": "text" - }, - "coordinates": { - "type": "double" - }, - "country_code2": { - "type": "text" - }, - "country_code3": { - "type": "text" - }, - "country_name": { - "type": "keyword" - }, - "dma_code": { - "type": "long" - }, - "ip": { - "type": "keyword" - }, - "latitude": { - "type": "double" - }, - "location": { - "type": "geo_point" - }, - "longitude": { - "type": "double" - }, - "postal_code": { - "type": "keyword" - }, - "real_region_name": { - "type": "keyword" - }, - "region_name": { - "type": "keyword" - }, - "timezone": { - "type": "text" - } - } - }, - "agent": { - "properties": { - "id": { - "type": "keyword" - }, - "ip": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "cluster": { - "properties": { - "name": { - "type": "keyword" - }, - "node": { - "type": "keyword" - } - } - }, - "command": { - "type": "keyword" - }, - "data": { - "properties": { - "action": { - "type": "keyword" - }, - "audit": { - "properties": { - "acct": { - "type": "keyword" - }, - "arch": { - "type": "keyword" - }, - "auid": { - "type": "keyword" - }, - "command": { - "type": "keyword" - }, - "cwd": { - "type": "keyword" - }, - "dev": { - "type": "keyword" - }, - "directory": { - "properties": { - "inode": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "egid": { - "type": "keyword" - }, - "enforcing": { - "type": "keyword" - }, - "euid": { - "type": "keyword" - }, - "exe": { - "type": "keyword" - }, - "execve": { - "properties": { - "a0": { - "type": "keyword" - }, - "a1": { - "type": "keyword" - }, - "a2": { - "type": "keyword" - }, - "a3": { - "type": "keyword" - } - } - }, - "exit": { - "type": "keyword" - }, - "file": { - "properties": { - "inode": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "fsgid": { - "type": "keyword" - }, - "fsuid": { - "type": "keyword" - }, - "gid": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "key": { - "type": "keyword" - }, - "list": { - "type": "keyword" - }, - "old-auid": { - "type": "keyword" - }, - "old-ses": { - "type": "keyword" - }, - "old_enforcing": { - "type": "keyword" - }, - "old_prom": { - "type": "keyword" - }, - "op": { - "type": "keyword" - }, - "pid": { - "type": "keyword" - }, - "ppid": { - "type": "keyword" - }, - "prom": { - "type": "keyword" - }, - "res": { - "type": "keyword" - }, - "session": { - "type": "keyword" - }, - "sgid": { - "type": "keyword" - }, - "srcip": { - "type": "keyword" - }, - "subj": { - "type": "keyword" - }, - "success": { - "type": "keyword" - }, - "suid": { - "type": "keyword" - }, - "syscall": { - "type": "keyword" - }, - "tty": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "uid": { - "type": "keyword" - } - } - }, - "aws": { - "properties": { - "accountId": { - "type": "keyword" - }, - "bytes": { - "type": "long" - }, - "createdAt": { - "type": "date" - }, - "dstaddr": { - "type": "ip" - }, - "end": { - "type": "date" - }, - "log_info": { - "properties": { - "s3bucket": { - "type": "keyword" - } - } - }, - "region": { - "type": "keyword" - }, - "resource": { - "properties": { - "instanceDetails": { - "properties": { - "launchTime": { - "type": "date" - }, - "networkInterfaces": { - "properties": { - "privateIpAddress": { - "type": "ip" - }, - "publicIp": { - "type": "ip" - } - } - } - } - } - } - }, - "service": { - "properties": { - "action": { - "properties": { - "networkConnectionAction": { - "properties": { - "remoteIpDetails": { - "properties": { - "geoLocation": { - "type": "geo_point" - }, - "ipAddressV4": { - "type": "ip" - } - } - } - } - } - } - }, - "count": { - "type": "long" - }, - "eventFirstSeen": { - "type": "date" - }, - "eventLastSeen": { - "type": "date" - } - } - }, - "source": { - "type": "keyword" - }, - "source_ip_address": { - "type": "ip" - }, - "srcaddr": { - "type": "ip" - }, - "start": { - "type": "date" - }, - "updatedAt": { - "type": "date" - } - } - }, - "cis": { - "properties": { - "benchmark": { - "type": "keyword" - }, - "error": { - "type": "long" - }, - "fail": { - "type": "long" - }, - "group": { - "type": "keyword" - }, - "notchecked": { - "type": "long" - }, - "pass": { - "type": "long" - }, - "result": { - "type": "keyword" - }, - "rule_title": { - "type": "keyword" - }, - "score": { - "type": "long" - }, - "timestamp": { - "type": "keyword" - }, - "unknown": { - "type": "long" - } - } - }, - "command": { - "type": "keyword" - }, - "data": { - "type": "keyword" - }, - "docker": { - "properties": { - "Action": { - "type": "keyword" - }, - "Actor": { - "properties": { - "Attributes": { - "properties": { - "image": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - } - } - }, - "Type": { - "type": "keyword" - } - } - }, - "dstip": { - "type": "keyword" - }, - "dstport": { - "type": "keyword" - }, - "dstuser": { - "type": "keyword" - }, - "extra_data": { - "type": "keyword" - }, - "gcp": { - "properties": { - "jsonPayload": { - "properties": { - "authAnswer": { - "type": "keyword" - }, - "queryName": { - "type": "keyword" - }, - "responseCode": { - "type": "keyword" - }, - "vmInstanceId": { - "type": "keyword" - }, - "vmInstanceName": { - "type": "keyword" - } - } - }, - "resource": { - "properties": { - "labels": { - "properties": { - "location": { - "type": "keyword" - }, - "project_id": { - "type": "keyword" - }, - "source_type": { - "type": "keyword" - } - } - }, - "type": { - "type": "keyword" - } - } - }, - "severity": { - "type": "keyword" - } - } - }, - "github": { - "properties": { - "action": { - "type": "keyword" - }, - "actor": { - "type": "keyword" - }, - "actor_location": { - "properties": { - "country_code": { - "type": "keyword" - } - } - }, - "org": { - "type": "keyword" - }, - "repo": { - "type": "keyword" - } - } - }, - "hardware": { - "properties": { - "cpu_cores": { - "type": "long" - }, - "cpu_mhz": { - "type": "double" - }, - "cpu_name": { - "type": "keyword" - }, - "ram_free": { - "type": "long" - }, - "ram_total": { - "type": "long" - }, - "ram_usage": { - "type": "long" - }, - "serial": { - "type": "keyword" - } - } - }, - "id": { - "type": "keyword" - }, - "integration": { - "type": "keyword" - }, - "netinfo": { - "properties": { - "iface": { - "properties": { - "adapter": { - "type": "keyword" - }, - "ipv4": { - "properties": { - "address": { - "type": "keyword" - }, - "broadcast": { - "type": "keyword" - }, - "dhcp": { - "type": "keyword" - }, - "gateway": { - "type": "keyword" - }, - "metric": { - "type": "long" - }, - "netmask": { - "type": "keyword" - } - } - }, - "ipv6": { - "properties": { - "address": { - "type": "keyword" - }, - "broadcast": { - "type": "keyword" - }, - "dhcp": { - "type": "keyword" - }, - "gateway": { - "type": "keyword" - }, - "metric": { - "type": "long" - }, - "netmask": { - "type": "keyword" - } - } - }, - "mac": { - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "type": "keyword" - }, - "rx_bytes": { - "type": "long" - }, - "rx_dropped": { - "type": "long" - }, - "rx_errors": { - "type": "long" - }, - "rx_packets": { - "type": "long" - }, - "state": { - "type": "keyword" - }, - "tx_bytes": { - "type": "long" - }, - "tx_dropped": { - "type": "long" - }, - "tx_errors": { - "type": "long" - }, - "tx_packets": { - "type": "long" - }, - "type": { - "type": "keyword" - } - } - } - } - }, - "office365": { - "properties": { - "Actor": { - "properties": { - "ID": { - "type": "keyword" - } - } - }, - "ClientIP": { - "type": "keyword" - }, - "Operation": { - "type": "keyword" - }, - "ResultStatus": { - "type": "keyword" - }, - "Subscription": { - "type": "keyword" - }, - "UserId": { - "type": "keyword" - } - } - }, - "os": { - "properties": { - "architecture": { - "type": "keyword" - }, - "build": { - "type": "keyword" - }, - "codename": { - "type": "keyword" - }, - "display_version": { - "type": "keyword" - }, - "hostname": { - "type": "keyword" - }, - "major": { - "type": "keyword" - }, - "minor": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "patch": { - "type": "keyword" - }, - "platform": { - "type": "keyword" - }, - "release": { - "type": "keyword" - }, - "release_version": { - "type": "keyword" - }, - "sysname": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "oscap": { - "properties": { - "check": { - "properties": { - "description": { - "type": "text" - }, - "id": { - "type": "keyword" - }, - "identifiers": { - "type": "text" - }, - "oval": { - "properties": { - "id": { - "type": "keyword" - } - } - }, - "rationale": { - "type": "text" - }, - "references": { - "type": "text" - }, - "result": { - "type": "keyword" - }, - "severity": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "scan": { - "properties": { - "benchmark": { - "properties": { - "id": { - "type": "keyword" - } - } - }, - "content": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "profile": { - "properties": { - "id": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "return_code": { - "type": "long" - }, - "score": { - "type": "double" - } - } - } - } - }, - "osquery": { - "properties": { - "action": { - "type": "keyword" - }, - "calendarTime": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "pack": { - "type": "keyword" - } - } - }, - "port": { - "properties": { - "inode": { - "type": "long" - }, - "local_ip": { - "type": "ip" - }, - "local_port": { - "type": "long" - }, - "pid": { - "type": "long" - }, - "process": { - "type": "keyword" - }, - "protocol": { - "type": "keyword" - }, - "remote_ip": { - "type": "ip" - }, - "remote_port": { - "type": "long" - }, - "rx_queue": { - "type": "long" - }, - "state": { - "type": "keyword" - }, - "tx_queue": { - "type": "long" - } - } - }, - "process": { - "properties": { - "args": { - "type": "keyword" - }, - "cmd": { - "type": "keyword" - }, - "egroup": { - "type": "keyword" - }, - "euser": { - "type": "keyword" - }, - "fgroup": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "nice": { - "type": "long" - }, - "nlwp": { - "type": "long" - }, - "pgrp": { - "type": "long" - }, - "pid": { - "type": "long" - }, - "ppid": { - "type": "long" - }, - "priority": { - "type": "long" - }, - "processor": { - "type": "long" - }, - "resident": { - "type": "long" - }, - "rgroup": { - "type": "keyword" - }, - "ruser": { - "type": "keyword" - }, - "session": { - "type": "long" - }, - "sgroup": { - "type": "keyword" - }, - "share": { - "type": "long" - }, - "size": { - "type": "long" - }, - "start_time": { - "type": "long" - }, - "state": { - "type": "keyword" - }, - "stime": { - "type": "long" - }, - "suser": { - "type": "keyword" - }, - "tgid": { - "type": "long" - }, - "tty": { - "type": "long" - }, - "utime": { - "type": "long" - }, - "vm_size": { - "type": "long" - } - } - }, - "program": { - "properties": { - "architecture": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "format": { - "type": "keyword" - }, - "install_time": { - "type": "keyword" - }, - "location": { - "type": "keyword" - }, - "multiarch": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "priority": { - "type": "keyword" - }, - "section": { - "type": "keyword" - }, - "size": { - "type": "long" - }, - "source": { - "type": "keyword" - }, - "vendor": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "protocol": { - "type": "keyword" - }, - "sca": { - "properties": { - "check": { - "properties": { - "compliance": { - "properties": { - "cis": { - "type": "keyword" - }, - "cis_csc": { - "type": "keyword" - }, - "hipaa": { - "type": "keyword" - }, - "nist_800_53": { - "type": "keyword" - }, - "pci_dss": { - "type": "keyword" - } - } - }, - "description": { - "type": "keyword" - }, - "directory": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "previous_result": { - "type": "keyword" - }, - "process": { - "type": "keyword" - }, - "rationale": { - "type": "keyword" - }, - "reason": { - "type": "keyword" - }, - "references": { - "type": "keyword" - }, - "registry": { - "type": "keyword" - }, - "remediation": { - "type": "keyword" - }, - "result": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "description": { - "type": "keyword" - }, - "failed": { - "type": "integer" - }, - "file": { - "type": "keyword" - }, - "invalid": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "passed": { - "type": "integer" - }, - "policy": { - "type": "keyword" - }, - "policy_id": { - "type": "keyword" - }, - "scan_id": { - "type": "keyword" - }, - "score": { - "type": "long" - }, - "total_checks": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - } - }, - "srcip": { - "type": "keyword" - }, - "srcport": { - "type": "keyword" - }, - "srcuser": { - "type": "keyword" - }, - "status": { - "type": "keyword" - }, - "system_name": { - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "title": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "uid": { - "type": "keyword" - }, - "url": { - "type": "keyword" - }, - "virustotal": { - "properties": { - "description": { - "type": "keyword" - }, - "error": { - "type": "keyword" - }, - "found": { - "type": "keyword" - }, - "malicious": { - "type": "keyword" - }, - "permalink": { - "type": "keyword" - }, - "positives": { - "type": "keyword" - }, - "scan_date": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - }, - "source": { - "properties": { - "alert_id": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "md5": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - } - } - }, - "total": { - "type": "keyword" - } - } - }, - "vulnerability": { - "properties": { - "assigner": { - "type": "keyword" - }, - "cve": { - "type": "keyword" - }, - "cve_version": { - "type": "keyword" - }, - "cvss": { - "properties": { - "cvss2": { - "properties": { - "base_score": { - "type": "keyword" - }, - "exploitability_score": { - "type": "keyword" - }, - "impact_score": { - "type": "keyword" - }, - "vector": { - "properties": { - "access_complexity": { - "type": "keyword" - }, - "attack_vector": { - "type": "keyword" - }, - "authentication": { - "type": "keyword" - }, - "availability": { - "type": "keyword" - }, - "confidentiality_impact": { - "type": "keyword" - }, - "integrity_impact": { - "type": "keyword" - }, - "privileges_required": { - "type": "keyword" - }, - "scope": { - "type": "keyword" - }, - "user_interaction": { - "type": "keyword" - } - } - } - } - }, - "cvss3": { - "properties": { - "base_score": { - "type": "keyword" - }, - "exploitability_score": { - "type": "keyword" - }, - "impact_score": { - "type": "keyword" - }, - "vector": { - "properties": { - "access_complexity": { - "type": "keyword" - }, - "attack_vector": { - "type": "keyword" - }, - "authentication": { - "type": "keyword" - }, - "availability": { - "type": "keyword" - }, - "confidentiality_impact": { - "type": "keyword" - }, - "integrity_impact": { - "type": "keyword" - }, - "privileges_required": { - "type": "keyword" - }, - "scope": { - "type": "keyword" - }, - "user_interaction": { - "type": "keyword" - } - } - } - } - } - } - }, - "cwe_reference": { - "type": "keyword" - }, - "package": { - "properties": { - "architecture": { - "type": "keyword" - }, - "condition": { - "type": "keyword" - }, - "generated_cpe": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "source": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "published": { - "type": "date" - }, - "rationale": { - "type": "keyword" - }, - "severity": { - "type": "keyword" - }, - "title": { - "type": "keyword" - }, - "updated": { - "type": "date" - } - } - } - } - }, - "decoder": { - "properties": { - "accumulate": { - "type": "long" - }, - "fts": { - "type": "long" - }, - "ftscomment": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "parent": { - "type": "keyword" - } - } - }, - "full_log": { - "type": "text" - }, - "host": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "input": { - "properties": { - "type": { - "type": "keyword" - } - } - }, - "location": { - "type": "keyword" - }, - "manager": { - "properties": { - "name": { - "type": "keyword" - } - } - }, - "message": { - "type": "text" - }, - "offset": { - "type": "keyword" - }, - "predecoder": { - "properties": { - "hostname": { - "type": "keyword" - }, - "program_name": { - "type": "keyword" - }, - "timestamp": { - "type": "keyword" - } - } - }, - "previous_log": { - "type": "text" - }, - "previous_output": { - "type": "keyword" - }, - "program_name": { - "type": "keyword" - }, - "rule": { - "properties": { - "cis": { - "type": "keyword" - }, - "cve": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "firedtimes": { - "type": "long" - }, - "frequency": { - "type": "long" - }, - "gdpr": { - "type": "keyword" - }, - "gpg13": { - "type": "keyword" - }, - "groups": { - "type": "keyword" - }, - "hipaa": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "info": { - "type": "keyword" - }, - "level": { - "type": "long" - }, - "mail": { - "type": "boolean" - }, - "mitre": { - "properties": { - "id": { - "type": "keyword" - }, - "tactic": { - "type": "keyword" - }, - "technique": { - "type": "keyword" - } - } - }, - "nist_800_53": { - "type": "keyword" - }, - "pci_dss": { - "type": "keyword" - }, - "tsc": { - "type": "keyword" - } - } - }, - "syscheck": { - "properties": { - "audit": { - "properties": { - "effective_user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "group": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "login_user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "process": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "ppid": { - "type": "keyword" - } - } - }, - "user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - } - } - }, - "diff": { - "type": "keyword" - }, - "event": { - "type": "keyword" - }, - "gid_after": { - "type": "keyword" - }, - "gid_before": { - "type": "keyword" - }, - "gname_after": { - "type": "keyword" - }, - "gname_before": { - "type": "keyword" - }, - "hard_links": { - "type": "keyword" - }, - "inode_after": { - "type": "keyword" - }, - "inode_before": { - "type": "keyword" - }, - "md5_after": { - "type": "keyword" - }, - "md5_before": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "mtime_after": { - "type": "date", - "format": "date_optional_time" - }, - "mtime_before": { - "type": "date", - "format": "date_optional_time" - }, - "path": { - "type": "keyword" - }, - "perm_after": { - "type": "keyword" - }, - "perm_before": { - "type": "keyword" - }, - "sha1_after": { - "type": "keyword" - }, - "sha1_before": { - "type": "keyword" - }, - "sha256_after": { - "type": "keyword" - }, - "sha256_before": { - "type": "keyword" - }, - "size_after": { - "type": "long" - }, - "size_before": { - "type": "long" - }, - "tags": { - "type": "keyword" - }, - "uid_after": { - "type": "keyword" - }, - "uid_before": { - "type": "keyword" - }, - "uname_after": { - "type": "keyword" - }, - "uname_before": { - "type": "keyword" - } - } - }, - "timestamp": { - "type": "date", - "format": "date_optional_time||epoch_millis" - }, - "title": { - "type": "keyword" - }, - "type": { - "type": "text" - } - } - }, - "aliases": {} - }, - "version": 1 -} diff --git a/integrations/elastic/logstash/pipeline/indexer-to-elastic.conf b/integrations/elastic/logstash/pipeline/indexer-to-elastic.conf deleted file mode 100644 index d9e734cae6992..0000000000000 --- a/integrations/elastic/logstash/pipeline/indexer-to-elastic.conf +++ /dev/null @@ -1,35 +0,0 @@ -input { - opensearch { - hosts => ["wazuh.indexer:9200"] - user => "${INDEXER_USERNAME}" - password => "${INDEXER_PASSWORD}" - ssl => true - ca_file => "/usr/share/logstash/root-ca.pem" - index => "wazuh-alerts-4.x-*" - query => '{ - "query": { - "range": { - "@timestamp": { - "gt": "now-1m" - } - } - } - }' - schedule => "* * * * *" - } -} - - -output { - elasticsearch { - hosts => "es01" - index => "wazuh-alerts-4.x-%{+YYYY.MM.dd}" - user => "elastic" - password => "elastic" - ssl => true - cacert => '/etc/certs/elastic/ca/ca.crt' - template => '/usr/share/logstash/pipeline/es_template.json' - template_name => 'wazuh' - template_overwrite => true - } -} diff --git a/integrations/elastic/logstash/setup.sh b/integrations/elastic/logstash/setup.sh deleted file mode 100644 index 4852d27efd5e1..0000000000000 --- a/integrations/elastic/logstash/setup.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/bash - -# This script creates and configures a keystore for Logstash to store -# indexer's credentials. NOTE: works only for dockerized logstash. -# Source: https://www.elastic.co/guide/en/logstash/current/keystore.html - -# Create keystore -/usr/share/logstash/bin/logstash-keystore create -echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_USERNAME -echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_PASSWORD diff --git a/integrations/logstash/Dockerfile b/integrations/logstash/Dockerfile deleted file mode 100644 index 0c487bc7b2ca1..0000000000000 --- a/integrations/logstash/Dockerfile +++ /dev/null @@ -1,19 +0,0 @@ -ARG LOGSTASH_OSS_VERSION -FROM opensearchproject/logstash-oss-with-opensearch-output-plugin:${LOGSTASH_OSS_VERSION} - -ENV LOGSTASH_KEYSTORE_PASS "SecretPassword" -ENV LS_PATH "/usr/share/logstash" -USER logstash - -# https://github.com/elastic/logstash/issues/6600 -# Install plugin -RUN LS_JAVA_OPTS="-Xms1024m -Xmx1024m" logstash-plugin install logstash-input-opensearch - -# Copy and run the setup.sh script to create and configure a keystore for Logstash. -COPY --chown=logstash:logstash ./setup.sh /usr/share/logstash/bin/setup.sh -RUN bash /usr/share/logstash/bin/setup.sh - -# Disable ECS compatibility -RUN `echo "pipeline.ecs_compatibility: disabled" >> /usr/share/logstash/config/logstash.yml` - -WORKDIR /usr/share/logstash diff --git a/integrations/logstash/setup.sh b/integrations/logstash/setup.sh deleted file mode 100644 index 4852d27efd5e1..0000000000000 --- a/integrations/logstash/setup.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/bash - -# This script creates and configures a keystore for Logstash to store -# indexer's credentials. NOTE: works only for dockerized logstash. -# Source: https://www.elastic.co/guide/en/logstash/current/keystore.html - -# Create keystore -/usr/share/logstash/bin/logstash-keystore create -echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_USERNAME -echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_PASSWORD diff --git a/integrations/opensearch/README.md b/integrations/opensearch/README.md deleted file mode 100644 index f6a9224f8093d..0000000000000 --- a/integrations/opensearch/README.md +++ /dev/null @@ -1,47 +0,0 @@ -# Wazuh to OpenSearch Integration Developer Guide - -This document describes how to prepare a Docker Compose environment to test the integration between Wazuh and the OpenSearch Stack. For a detailed guide on how to integrate Wazuh with OpenSearch Stack, please refer to the [Wazuh documentation](https://documentation.wazuh.com/current/integrations-guide/OpenSearch-stack/index.html). - -## Requirements - -- Docker and Docker Compose installed. - -## Usage - -1. Clone the Wazuh repository and navigate to the `integrations/` folder. -2. Run the following command to start the environment: - ```bash - docker compose -f ./docker/compose.indexer-opensearch.yml up -d - ``` - -The Docker Compose project will bring up the following services: - -- 1x Events Generator (learn more in [wazuh-indexer/integrations/tools/events-generator](../tools/events-generator/README.md)). -- 1x Wazuh Indexer (OpenSearch). -- 1x Logstash -- 1x OpenSearch -- 1x OpenSearch Dashboards - -For custom configurations, you may need to modify these files: - -- [docker/compose.indexer-opensearch.yml](../docker/compose.indexer-opensearch.yml): Docker Compose file. -- [docker/.env](../docker/.env): Environment variables file. -- [opensearch/logstash/pipeline/indexer-to-opensearch.conf](./logstash/pipeline/indexer-to-opensearch.conf): Logstash Pipeline configuration file. - -Check the files above for **credentials**, ports, and other configurations. - -| Service | Address | Credentials | -| --------------------- | ---------------------- | ----------- | -| Wazuh Indexer | https://localhost:9200 | admin:admin | -| OpenSearch | https://localhost:9201 | admin:admin | -| OpenSearch Dashboards | https://localhost:5602 | admin:admin | - -## Importing the dashboards - -The dashboards for OpenSearch are included in [dashboards.ndjson](./dashboards.ndjson). The steps to import them to OpenSearch are the following: - -- On OpenSearch Dashboards, expand the left menu, and go to `Dashboards Management`. -- Click on `Saved Objects`, select `Import`, click on the `Import` icon and browse the dashboard file. -- Click on Import and complete the process. - -Imported dashboards will appear in the `Dashboards` app on the left menu. diff --git a/integrations/opensearch/dashboards.ndjson b/integrations/opensearch/dashboards.ndjson deleted file mode 100644 index 678866f75dfa9..0000000000000 --- a/integrations/opensearch/dashboards.ndjson +++ /dev/null @@ -1,38 +0,0 @@ -{"attributes":{"fields":"[{\"count\":0,\"name\":\"@sampledata\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"count\":0,\"name\":\"GeoLocation.city_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"GeoLocation.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"GeoLocation.city_name\"}}},{\"count\":0,\"name\":\"GeoLocation.country_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"GeoLocation.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"GeoLocation.country_name\"}}},{\"count\":0,\"name\":\"GeoLocation.location.lat\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"GeoLocation.location.lon\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"GeoLocation.region_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"GeoLocation.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"GeoLocation.region_name\"}}},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.id\"}}},{\"count\":0,\"name\":\"agent.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.ip\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.ip\"}}},{\"count\":0,\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.name\"}}},{\"count\":0,\"name\":\"cluster.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"cluster.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"cluster.name\"}}},{\"count\":0,\"name\":\"cluster.node\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"cluster.node\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"cluster.node\"}}},{\"count\":0,\"name\":\"data.audit.command\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.audit.command\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.audit.command\"}}},{\"count\":0,\"name\":\"data.audit.cwd\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.audit.cwd\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.audit.cwd\"}}},{\"count\":0,\"name\":\"data.audit.exe\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.audit.exe\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.audit.exe\"}}},{\"count\":0,\"name\":\"data.audit.file.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.audit.file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.audit.file.name\"}}},{\"count\":0,\"name\":\"data.audit.success\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.audit.success\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.audit.success\"}}},{\"count\":0,\"name\":\"data.audit.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.audit.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.audit.type\"}}},{\"count\":0,\"name\":\"data.aws.accountId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.accountId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.accountId\"}}},{\"count\":0,\"name\":\"data.aws.actor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.actor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.actor\"}}},{\"count\":0,\"name\":\"data.aws.alert-arn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.alert-arn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.alert-arn\"}}},{\"count\":0,\"name\":\"data.aws.arn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.arn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.arn\"}}},{\"count\":0,\"name\":\"data.aws.created-at\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.createdAt\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.description\"}}},{\"count\":0,\"name\":\"data.aws.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.id\"}}},{\"count\":0,\"name\":\"data.aws.log_info.log_file\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.log_info.log_file\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.log_info.log_file\"}}},{\"count\":0,\"name\":\"data.aws.log_info.s3bucket\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.log_info.s3bucket\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.log_info.s3bucket\"}}},{\"count\":0,\"name\":\"data.aws.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.name\"}}},{\"count\":0,\"name\":\"data.aws.notification-type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.notification-type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.notification-type\"}}},{\"count\":0,\"name\":\"data.aws.partition\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.partition\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.partition\"}}},{\"count\":0,\"name\":\"data.aws.region\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.region\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.region\"}}},{\"count\":0,\"name\":\"data.aws.resource.accessKeyDetails.principalId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.accessKeyDetails.principalId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.accessKeyDetails.principalId\"}}},{\"count\":0,\"name\":\"data.aws.resource.accessKeyDetails.userName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.accessKeyDetails.userName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.accessKeyDetails.userName\"}}},{\"count\":0,\"name\":\"data.aws.resource.accessKeyDetails.userType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.accessKeyDetails.userType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.accessKeyDetails.userType\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.availabilityZone\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.availabilityZone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.availabilityZone\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.iamInstanceProfile.arn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.iamInstanceProfile.arn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.iamInstanceProfile.arn\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.iamInstanceProfile.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.iamInstanceProfile.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.iamInstanceProfile.id\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.imageDescription\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.imageDescription\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.imageDescription\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.imageId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.imageId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.imageId\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.instanceId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.instanceId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.instanceId\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.instanceState\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.instanceState\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.instanceState\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.instanceType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.instanceType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.instanceType\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.launchTime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.networkInterfaceId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.networkInterfaceId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.networkInterfaceId\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.privateDnsName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.privateDnsName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.privateDnsName\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.privateIpAddress\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.privateIpAddress\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.privateIpAddress\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.publicDnsName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.publicDnsName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.publicDnsName\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.publicIp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.publicIp\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.publicIp\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.subnetId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.subnetId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.subnetId\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.vpcId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.vpcId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.vpcId\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.productCodes.productCodeId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.productCodes.productCodeId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.productCodes.productCodeId\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.productCodes.productCodeType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.productCodes.productCodeType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.productCodes.productCodeType\"}}},{\"count\":0,\"name\":\"data.aws.resource.resourceType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.resourceType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.resourceType\"}}},{\"count\":0,\"name\":\"data.aws.risk-score\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.risk-score\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.risk-score\"}}},{\"count\":0,\"name\":\"data.aws.schemaVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.schemaVersion\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.schemaVersion\"}}},{\"count\":0,\"name\":\"data.aws.service.action.actionType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.actionType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.actionType\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.api\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.api\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.api\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.callerType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.callerType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.callerType\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.city.cityName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.city.cityName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.city.cityName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.country.countryName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.country.countryName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.country.countryName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.geoLocation.lat\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.geoLocation.lat\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.geoLocation.lat\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.geoLocation.lon\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.geoLocation.lon\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.geoLocation.lon\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.ipAddressV4\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.asn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.asn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.asn\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.isp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.isp\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.isp\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.org\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.org\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.serviceName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.serviceName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.serviceName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.blocked\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.blocked\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.blocked\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.connectionDirection\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.connectionDirection\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.connectionDirection\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.localIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.localIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.localIpDetails.ipAddressV4\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.localPortDetails.port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.localPortDetails.port\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.localPortDetails.port\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.localPortDetails.portName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.localPortDetails.portName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.localPortDetails.portName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.protocol\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.city.cityName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.city.cityName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.city.cityName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.country.countryName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.country.countryName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.country.countryName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.geoLocation.lat\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.geoLocation.lat\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.geoLocation.lat\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.geoLocation.lon\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.geoLocation.lon\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.geoLocation.lon\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.asn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.asn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.asn\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.isp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.isp\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.isp\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.org\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.org\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remotePortDetails.port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remotePortDetails.port\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remotePortDetails.port\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remotePortDetails.portName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remotePortDetails.portName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remotePortDetails.portName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.blocked\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.blocked\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.blocked\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.localPortDetails.port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.localPortDetails.port\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.localPortDetails.port\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.localPortDetails.portName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.localPortDetails.portName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.localPortDetails.portName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.city.cityName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.city.cityName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.city.cityName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lat\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lat\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lat\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lon\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lon\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lon\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV4\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asn\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asnOrg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asnOrg\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asnOrg\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.isp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.isp\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.isp\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.org\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.org\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.inBytes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.inBytes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.inBytes\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.localPort\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.localPort\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.localPort\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.outBytes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.outBytes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.outBytes\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.recentApiCalls.api\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.recentApiCalls.api\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.recentApiCalls.api\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.recentApiCalls.count\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.recentApiCalls.count\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.recentApiCalls.count\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.threatListName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.threatListName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.threatListName\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.threatName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.threatName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.threatName\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.unusual\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.unusual\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.unusual\"}}},{\"count\":0,\"name\":\"data.aws.service.archived\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.archived\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.archived\"}}},{\"count\":0,\"name\":\"data.aws.service.count\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.count\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.count\"}}},{\"count\":0,\"name\":\"data.aws.service.detectorId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.detectorId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.detectorId\"}}},{\"count\":0,\"name\":\"data.aws.service.eventFirstSeen\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.service.eventLastSeen\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.service.resourceRole\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.resourceRole\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.resourceRole\"}}},{\"count\":0,\"name\":\"data.aws.service.serviceName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.serviceName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.serviceName\"}}},{\"count\":0,\"name\":\"data.aws.severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.severity\"}}},{\"count\":0,\"name\":\"data.aws.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.source\"}}},{\"count\":0,\"name\":\"data.aws.summary.ACL.resources.wazuh.com.Owner.DisplayName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.ACL.resources.wazuh.com.Owner.DisplayName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.ACL.resources.wazuh.com.Owner.DisplayName\"}}},{\"count\":0,\"name\":\"data.aws.summary.ACL.resources.wazuh.com.Owner.ID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.ACL.resources.wazuh.com.Owner.ID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.ACL.resources.wazuh.com.Owner.ID\"}}},{\"count\":0,\"name\":\"data.aws.summary.Bucket\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.Bucket\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.Bucket\"}}},{\"count\":0,\"name\":\"data.aws.summary.Description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.Description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.Description\"}}},{\"count\":0,\"name\":\"data.aws.summary.Event Count\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.Event Count\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.Event Count\"}}},{\"count\":0,\"name\":\"data.aws.summary.Record Count\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.Record Count\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.Record Count\"}}},{\"count\":0,\"name\":\"data.aws.summary.Timestamps\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.summary.recipientAccountId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.recipientAccountId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.recipientAccountId\"}}},{\"count\":0,\"name\":\"data.aws.tags.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.tags.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.tags.value\"}}},{\"count\":0,\"name\":\"data.aws.title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.title\"}}},{\"count\":0,\"name\":\"data.aws.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.type\"}}},{\"count\":0,\"name\":\"data.aws.updatedAt\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.url\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.url\"}}},{\"count\":0,\"name\":\"data.docker.Action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Action\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.container\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.container\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.container\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.execID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.execID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.execID\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.exitCode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.exitCode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.exitCode\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.image\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.image\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.image\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.license\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.license\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.maintainer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.maintainer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.maintainer\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.name\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.build-date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.build-date\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.build-date\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.license\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.license\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.name\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.schema-version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.schema-version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.schema-version\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.url\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.url\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.vcs-url\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.vcs-url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.vcs-url\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.vendor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.vendor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.vendor\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.version\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.signal\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.signal\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.signal\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.type\"}}},{\"count\":0,\"name\":\"data.docker.Actor.ID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.ID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.ID\"}}},{\"count\":0,\"name\":\"data.docker.Type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Type\"}}},{\"count\":0,\"name\":\"data.docker.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.from\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.from\"}}},{\"count\":0,\"name\":\"data.docker.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.id\"}}},{\"count\":0,\"name\":\"data.docker.level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.level\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.level\"}}},{\"count\":0,\"name\":\"data.docker.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.message\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.message\"}}},{\"count\":0,\"name\":\"data.docker.scope\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.scope\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.scope\"}}},{\"count\":0,\"name\":\"data.docker.status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.status\"}}},{\"count\":0,\"name\":\"data.docker.time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.time\"}}},{\"count\":0,\"name\":\"data.docker.timeNano\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.timeNano\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.timeNano\"}}},{\"count\":0,\"name\":\"data.dstuser\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.dstuser\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.dstuser\"}}},{\"count\":0,\"name\":\"data.euid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.euid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.euid\"}}},{\"count\":0,\"name\":\"data.extra_data\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.extra_data\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.extra_data\"}}},{\"count\":0,\"name\":\"data.file\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.file\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.file\"}}},{\"count\":0,\"name\":\"data.gcp.insertId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.insertId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.insertId\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.authAnswer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.authAnswer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.authAnswer\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.protocol\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.queryName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.queryName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.queryName\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.queryType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.queryType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.queryType\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.responseCode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.responseCode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.responseCode\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.sourceIP\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.sourceIP\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.sourceIP\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.vmInstanceId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.vmInstanceId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.vmInstanceId\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.vmInstanceName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.vmInstanceName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.vmInstanceName\"}}},{\"count\":0,\"name\":\"data.gcp.logName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.logName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.logName\"}}},{\"count\":0,\"name\":\"data.gcp.receiveTimestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.gcp.resource.labels.location\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.resource.labels.location\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.resource.labels.location\"}}},{\"count\":0,\"name\":\"data.gcp.resource.labels.project_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.resource.labels.project_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.resource.labels.project_id\"}}},{\"count\":0,\"name\":\"data.gcp.resource.labels.source_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.resource.labels.source_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.resource.labels.source_type\"}}},{\"count\":0,\"name\":\"data.gcp.resource.labels.target_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.resource.labels.target_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.resource.labels.target_type\"}}},{\"count\":0,\"name\":\"data.gcp.resource.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.resource.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.resource.type\"}}},{\"count\":0,\"name\":\"data.gcp.severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.severity\"}}},{\"count\":0,\"name\":\"data.gcp.timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.github.@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.github._document_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github._document_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github._document_id\"}}},{\"count\":0,\"name\":\"data.github.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.action\"}}},{\"count\":0,\"name\":\"data.github.active\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.active\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.active\"}}},{\"count\":0,\"name\":\"data.github.actor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.actor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.actor\"}}},{\"count\":0,\"name\":\"data.github.actor_location.country_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.actor_location.country_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.actor_location.country_code\"}}},{\"count\":0,\"name\":\"data.github.config.content_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.config.content_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.config.content_type\"}}},{\"count\":0,\"name\":\"data.github.config.insecure_ssl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.config.insecure_ssl\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.config.insecure_ssl\"}}},{\"count\":0,\"name\":\"data.github.config.secret\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.config.secret\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.config.secret\"}}},{\"count\":0,\"name\":\"data.github.config.url\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.config.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.config.url\"}}},{\"count\":0,\"name\":\"data.github.created_at\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.github.events\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.events\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.events\"}}},{\"count\":0,\"name\":\"data.github.events_were\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.events_were\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.events_were\"}}},{\"count\":0,\"name\":\"data.github.hook_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.hook_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.hook_id\"}}},{\"count\":0,\"name\":\"data.github.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.name\"}}},{\"count\":0,\"name\":\"data.github.org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.org\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.org\"}}},{\"count\":0,\"name\":\"data.github.repo\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.repo\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.repo\"}}},{\"count\":0,\"name\":\"data.github.repository\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.repository\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.repository\"}}},{\"count\":0,\"name\":\"data.github.repository_public\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.repository_public\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.repository_public\"}}},{\"count\":0,\"name\":\"data.github.team\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.team\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.team\"}}},{\"count\":0,\"name\":\"data.github.transport_protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.transport_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.transport_protocol\"}}},{\"count\":0,\"name\":\"data.github.transport_protocol_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.transport_protocol_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.transport_protocol_name\"}}},{\"count\":0,\"name\":\"data.github.user\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.user\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.user\"}}},{\"count\":0,\"name\":\"data.github.visibility\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.visibility\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.visibility\"}}},{\"count\":0,\"name\":\"data.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.id\"}}},{\"count\":0,\"name\":\"data.integration\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.integration\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.integration\"}}},{\"count\":0,\"name\":\"data.office365.AadAppId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.AadAppId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.AadAppId\"}}},{\"count\":0,\"name\":\"data.office365.Actor.ID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Actor.ID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Actor.ID\"}}},{\"count\":0,\"name\":\"data.office365.Actor.Type\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.ActorContextId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ActorContextId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ActorContextId\"}}},{\"count\":0,\"name\":\"data.office365.ActorIpAddress\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ActorIpAddress\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ActorIpAddress\"}}},{\"count\":0,\"name\":\"data.office365.ApplicationId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ApplicationId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ApplicationId\"}}},{\"count\":0,\"name\":\"data.office365.AzureActiveDirectoryEventType\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.ClientApplication\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ClientApplication\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ClientApplication\"}}},{\"count\":0,\"name\":\"data.office365.ClientIP\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ClientIP\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ClientIP\"}}},{\"count\":0,\"name\":\"data.office365.ClientIPAddress\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ClientIPAddress\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ClientIPAddress\"}}},{\"count\":0,\"name\":\"data.office365.ClientInfoString\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ClientInfoString\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ClientInfoString\"}}},{\"count\":0,\"name\":\"data.office365.CmdletVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.CmdletVersion\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.CmdletVersion\"}}},{\"count\":0,\"name\":\"data.office365.CorrelationId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.CorrelationId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.CorrelationId\"}}},{\"count\":0,\"name\":\"data.office365.CreationTime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.CustomUniqueId\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.CustomizedDoclib\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.DataType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DataType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DataType\"}}},{\"count\":0,\"name\":\"data.office365.DatabaseType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DatabaseType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DatabaseType\"}}},{\"count\":0,\"name\":\"data.office365.DestinationFileExtension\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DestinationFileExtension\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DestinationFileExtension\"}}},{\"count\":0,\"name\":\"data.office365.DestinationFileName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DestinationFileName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DestinationFileName\"}}},{\"count\":0,\"name\":\"data.office365.DestinationRelativeUrl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DestinationRelativeUrl\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DestinationRelativeUrl\"}}},{\"count\":0,\"name\":\"data.office365.DeviceProperties.Name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DeviceProperties.Name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DeviceProperties.Name\"}}},{\"count\":0,\"name\":\"data.office365.DeviceProperties.Value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DeviceProperties.Value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DeviceProperties.Value\"}}},{\"count\":0,\"name\":\"data.office365.DoNotDistributeEvent\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.EffectiveOrganization\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.EffectiveOrganization\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.EffectiveOrganization\"}}},{\"count\":0,\"name\":\"data.office365.ErrorNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ErrorNumber\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ErrorNumber\"}}},{\"count\":0,\"name\":\"data.office365.EventData\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.EventData\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.EventData\"}}},{\"count\":0,\"name\":\"data.office365.EventSource\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.EventSource\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.EventSource\"}}},{\"count\":0,\"name\":\"data.office365.ExtendedProperties.Name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ExtendedProperties.Name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ExtendedProperties.Name\"}}},{\"count\":0,\"name\":\"data.office365.ExtendedProperties.Value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ExtendedProperties.Value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ExtendedProperties.Value\"}}},{\"count\":0,\"name\":\"data.office365.ExternalAccess\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.FromApp\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.HighPriorityMediaProcessing\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.Id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Id\"}}},{\"count\":0,\"name\":\"data.office365.InterSystemsId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.InterSystemsId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.InterSystemsId\"}}},{\"count\":0,\"name\":\"data.office365.InternalLogonType\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.IntraSystemId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.IntraSystemId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.IntraSystemId\"}}},{\"count\":0,\"name\":\"data.office365.IsDocLib\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.Item.Attachments\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.Attachments\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.Attachments\"}}},{\"count\":0,\"name\":\"data.office365.Item.Id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.Id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.Id\"}}},{\"count\":0,\"name\":\"data.office365.Item.InternetMessageId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.InternetMessageId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.InternetMessageId\"}}},{\"count\":0,\"name\":\"data.office365.Item.IsRecord\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.Id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.Id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.ParentFolder.Id\"}}},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.MemberRights\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.MemberRights\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.ParentFolder.MemberRights\"}}},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.MemberSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.MemberSid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.ParentFolder.MemberSid\"}}},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.MemberUpn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.MemberUpn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.ParentFolder.MemberUpn\"}}},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.Name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.Name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.ParentFolder.Name\"}}},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.Path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.Path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.ParentFolder.Path\"}}},{\"count\":0,\"name\":\"data.office365.Item.Subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.Subject\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.Subject\"}}},{\"count\":0,\"name\":\"data.office365.ItemCount\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.ItemType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ItemType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ItemType\"}}},{\"count\":0,\"name\":\"data.office365.ListBaseTemplateType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListBaseTemplateType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListBaseTemplateType\"}}},{\"count\":0,\"name\":\"data.office365.ListBaseType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListBaseType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListBaseType\"}}},{\"count\":0,\"name\":\"data.office365.ListColor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListColor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListColor\"}}},{\"count\":0,\"name\":\"data.office365.ListIcon\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListIcon\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListIcon\"}}},{\"count\":0,\"name\":\"data.office365.ListId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListId\"}}},{\"count\":0,\"name\":\"data.office365.ListItemUniqueId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListItemUniqueId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListItemUniqueId\"}}},{\"count\":0,\"name\":\"data.office365.ListTitle\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListTitle\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListTitle\"}}},{\"count\":0,\"name\":\"data.office365.LogonType\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.LogonUserSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.LogonUserSid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.LogonUserSid\"}}},{\"count\":0,\"name\":\"data.office365.MailboxGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.MailboxGuid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.MailboxGuid\"}}},{\"count\":0,\"name\":\"data.office365.MailboxOwnerMasterAccountSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.MailboxOwnerMasterAccountSid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.MailboxOwnerMasterAccountSid\"}}},{\"count\":0,\"name\":\"data.office365.MailboxOwnerSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.MailboxOwnerSid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.MailboxOwnerSid\"}}},{\"count\":0,\"name\":\"data.office365.MailboxOwnerUPN\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.MailboxOwnerUPN\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.MailboxOwnerUPN\"}}},{\"count\":0,\"name\":\"data.office365.ModifiedProperties.Name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ModifiedProperties.Name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ModifiedProperties.Name\"}}},{\"count\":0,\"name\":\"data.office365.ModifiedProperties.NewValue\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ModifiedProperties.NewValue\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ModifiedProperties.NewValue\"}}},{\"count\":0,\"name\":\"data.office365.ModifiedProperties.OldValue\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ModifiedProperties.OldValue\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ModifiedProperties.OldValue\"}}},{\"count\":0,\"name\":\"data.office365.NonPIIParameters\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.NonPIIParameters\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.NonPIIParameters\"}}},{\"count\":0,\"name\":\"data.office365.ObjectId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ObjectId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ObjectId\"}}},{\"count\":0,\"name\":\"data.office365.Operation\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Operation\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Operation\"}}},{\"count\":0,\"name\":\"data.office365.OrganizationId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.OrganizationId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.OrganizationId\"}}},{\"count\":0,\"name\":\"data.office365.OrganizationName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.OrganizationName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.OrganizationName\"}}},{\"count\":0,\"name\":\"data.office365.OriginatingServer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.OriginatingServer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.OriginatingServer\"}}},{\"count\":0,\"name\":\"data.office365.Parameters\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Parameters\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Parameters\"}}},{\"count\":0,\"name\":\"data.office365.RecordType\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.RelativeUrl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.RelativeUrl\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.RelativeUrl\"}}},{\"count\":0,\"name\":\"data.office365.ResultCount\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ResultCount\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ResultCount\"}}},{\"count\":0,\"name\":\"data.office365.ResultStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ResultStatus\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ResultStatus\"}}},{\"count\":0,\"name\":\"data.office365.SecurityComplianceCenterEventType\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.Site\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Site\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Site\"}}},{\"count\":0,\"name\":\"data.office365.SiteUrl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.SiteUrl\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.SiteUrl\"}}},{\"count\":0,\"name\":\"data.office365.Source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Source\"}}},{\"count\":0,\"name\":\"data.office365.SourceFileExtension\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.SourceFileExtension\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.SourceFileExtension\"}}},{\"count\":0,\"name\":\"data.office365.SourceFileName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.SourceFileName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.SourceFileName\"}}},{\"count\":0,\"name\":\"data.office365.SourceRelativeUrl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.SourceRelativeUrl\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.SourceRelativeUrl\"}}},{\"count\":0,\"name\":\"data.office365.StartTime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.Subscription\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Subscription\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Subscription\"}}},{\"count\":0,\"name\":\"data.office365.SupportTicketId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.SupportTicketId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.SupportTicketId\"}}},{\"count\":0,\"name\":\"data.office365.Target.ID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Target.ID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Target.ID\"}}},{\"count\":0,\"name\":\"data.office365.Target.Type\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.TargetContextId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.TargetContextId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.TargetContextId\"}}},{\"count\":0,\"name\":\"data.office365.TargetUserOrGroupName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.TargetUserOrGroupName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.TargetUserOrGroupName\"}}},{\"count\":0,\"name\":\"data.office365.TargetUserOrGroupType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.TargetUserOrGroupType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.TargetUserOrGroupType\"}}},{\"count\":0,\"name\":\"data.office365.TemplateTypeId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.TemplateTypeId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.TemplateTypeId\"}}},{\"count\":0,\"name\":\"data.office365.UserAgent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.UserAgent\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.UserAgent\"}}},{\"count\":0,\"name\":\"data.office365.UserId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.UserId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.UserId\"}}},{\"count\":0,\"name\":\"data.office365.UserKey\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.UserKey\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.UserKey\"}}},{\"count\":0,\"name\":\"data.office365.UserServicePlan\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.UserServicePlan\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.UserServicePlan\"}}},{\"count\":0,\"name\":\"data.office365.UserType\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.Version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.WebId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.WebId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.WebId\"}}},{\"count\":0,\"name\":\"data.office365.Workload\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Workload\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Workload\"}}},{\"count\":0,\"name\":\"data.oscap.check.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.description\"}}},{\"count\":0,\"name\":\"data.oscap.check.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.id\"}}},{\"count\":0,\"name\":\"data.oscap.check.identifiers\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.identifiers\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.identifiers\"}}},{\"count\":0,\"name\":\"data.oscap.check.oval.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.oval.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.oval.id\"}}},{\"count\":0,\"name\":\"data.oscap.check.rationale\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.rationale\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.rationale\"}}},{\"count\":0,\"name\":\"data.oscap.check.references\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.references\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.references\"}}},{\"count\":0,\"name\":\"data.oscap.check.result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.result\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.result\"}}},{\"count\":0,\"name\":\"data.oscap.check.severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.severity\"}}},{\"count\":0,\"name\":\"data.oscap.check.title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.title\"}}},{\"count\":0,\"name\":\"data.oscap.scan.benchmark.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.scan.benchmark.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.scan.benchmark.id\"}}},{\"count\":0,\"name\":\"data.oscap.scan.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.scan.content\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.scan.content\"}}},{\"count\":0,\"name\":\"data.oscap.scan.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.scan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.scan.id\"}}},{\"count\":0,\"name\":\"data.oscap.scan.profile.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.scan.profile.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.scan.profile.id\"}}},{\"count\":0,\"name\":\"data.oscap.scan.profile.title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.scan.profile.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.scan.profile.title\"}}},{\"count\":0,\"name\":\"data.oscap.scan.score\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.scan.score\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.scan.score\"}}},{\"count\":0,\"name\":\"data.osquery.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.action\"}}},{\"count\":0,\"name\":\"data.osquery.calendarTime\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.osquery.columns.atime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.atime\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.atime\"}}},{\"count\":0,\"name\":\"data.osquery.columns.average_memory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.average_memory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.average_memory\"}}},{\"count\":0,\"name\":\"data.osquery.columns.avg_system_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.avg_system_time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.avg_system_time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.avg_user_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.avg_user_time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.avg_user_time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.block_size\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.block_size\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.block_size\"}}},{\"count\":0,\"name\":\"data.osquery.columns.blocks\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.blocks\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.blocks\"}}},{\"count\":0,\"name\":\"data.osquery.columns.blocks_available\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.blocks_available\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.blocks_available\"}}},{\"count\":0,\"name\":\"data.osquery.columns.blocks_free\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.blocks_free\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.blocks_free\"}}},{\"count\":0,\"name\":\"data.osquery.columns.blocks_size\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.blocks_size\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.blocks_size\"}}},{\"count\":0,\"name\":\"data.osquery.columns.build_distro\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.build_distro\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.build_distro\"}}},{\"count\":0,\"name\":\"data.osquery.columns.build_platform\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.build_platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.build_platform\"}}},{\"count\":0,\"name\":\"data.osquery.columns.bytes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.bytes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.bytes\"}}},{\"count\":0,\"name\":\"data.osquery.columns.chain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.chain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.chain\"}}},{\"count\":0,\"name\":\"data.osquery.columns.config_hash\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.config_hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.config_hash\"}}},{\"count\":0,\"name\":\"data.osquery.columns.config_valid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.config_valid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.config_valid\"}}},{\"count\":0,\"name\":\"data.osquery.columns.counter\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.counter\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.counter\"}}},{\"count\":0,\"name\":\"data.osquery.columns.ctime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.ctime\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.ctime\"}}},{\"count\":0,\"name\":\"data.osquery.columns.device\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.device\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.device\"}}},{\"count\":0,\"name\":\"data.osquery.columns.device_alias\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.device_alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.device_alias\"}}},{\"count\":0,\"name\":\"data.osquery.columns.dst_ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.dst_ip\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.dst_ip\"}}},{\"count\":0,\"name\":\"data.osquery.columns.dst_mask\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.dst_mask\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.dst_mask\"}}},{\"count\":0,\"name\":\"data.osquery.columns.end\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.end\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.end\"}}},{\"count\":0,\"name\":\"data.osquery.columns.executions\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.executions\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.executions\"}}},{\"count\":0,\"name\":\"data.osquery.columns.extensions\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.extensions\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.extensions\"}}},{\"count\":0,\"name\":\"data.osquery.columns.filter_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.filter_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.filter_name\"}}},{\"count\":0,\"name\":\"data.osquery.columns.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.flags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.flags\"}}},{\"count\":0,\"name\":\"data.osquery.columns.gid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.gid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.gid\"}}},{\"count\":0,\"name\":\"data.osquery.columns.iniface\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.iniface\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.iniface\"}}},{\"count\":0,\"name\":\"data.osquery.columns.inode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.inode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.inode\"}}},{\"count\":0,\"name\":\"data.osquery.columns.inodes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.inodes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.inodes\"}}},{\"count\":0,\"name\":\"data.osquery.columns.inodes_free\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.inodes_free\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.inodes_free\"}}},{\"count\":0,\"name\":\"data.osquery.columns.instance_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.instance_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.instance_id\"}}},{\"count\":0,\"name\":\"data.osquery.columns.interval\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.interval\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.interval\"}}},{\"count\":0,\"name\":\"data.osquery.columns.key\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.key\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.key\"}}},{\"count\":0,\"name\":\"data.osquery.columns.last_executed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.last_executed\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.last_executed\"}}},{\"count\":0,\"name\":\"data.osquery.columns.match\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.match\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.match\"}}},{\"count\":0,\"name\":\"data.osquery.columns.memory_free\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.memory_free\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.memory_free\"}}},{\"count\":0,\"name\":\"data.osquery.columns.memory_free_perc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.memory_free_perc\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.memory_free_perc\"}}},{\"count\":0,\"name\":\"data.osquery.columns.memory_total\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.memory_total\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.memory_total\"}}},{\"count\":0,\"name\":\"data.osquery.columns.mode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.mode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.mode\"}}},{\"count\":0,\"name\":\"data.osquery.columns.mtime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.mtime\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.mtime\"}}},{\"count\":0,\"name\":\"data.osquery.columns.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.name\"}}},{\"count\":0,\"name\":\"data.osquery.columns.offset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.offset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.offset\"}}},{\"count\":0,\"name\":\"data.osquery.columns.outiface\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.outiface\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.outiface\"}}},{\"count\":0,\"name\":\"data.osquery.columns.outiface_mask\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.outiface_mask\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.outiface_mask\"}}},{\"count\":0,\"name\":\"data.osquery.columns.output_size\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.output_size\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.output_size\"}}},{\"count\":0,\"name\":\"data.osquery.columns.packets\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.packets\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.packets\"}}},{\"count\":0,\"name\":\"data.osquery.columns.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.path\"}}},{\"count\":0,\"name\":\"data.osquery.columns.permissions\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.permissions\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.permissions\"}}},{\"count\":0,\"name\":\"data.osquery.columns.pid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.pid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.pid\"}}},{\"count\":0,\"name\":\"data.osquery.columns.policy\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.policy\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.policy\"}}},{\"count\":0,\"name\":\"data.osquery.columns.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.protocol\"}}},{\"count\":0,\"name\":\"data.osquery.columns.pseudo\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.pseudo\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.pseudo\"}}},{\"count\":0,\"name\":\"data.osquery.columns.resident_size\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.resident_size\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.resident_size\"}}},{\"count\":0,\"name\":\"data.osquery.columns.src_ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.src_ip\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.src_ip\"}}},{\"count\":0,\"name\":\"data.osquery.columns.src_mask\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.src_mask\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.src_mask\"}}},{\"count\":0,\"name\":\"data.osquery.columns.start\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.start\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.start\"}}},{\"count\":0,\"name\":\"data.osquery.columns.start_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.start_time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.start_time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.system_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.system_time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.system_time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.target\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.target\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.target\"}}},{\"count\":0,\"name\":\"data.osquery.columns.threshold\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.threshold\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.threshold\"}}},{\"count\":0,\"name\":\"data.osquery.columns.time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.tty\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.tty\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.tty\"}}},{\"count\":0,\"name\":\"data.osquery.columns.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.type\"}}},{\"count\":0,\"name\":\"data.osquery.columns.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.uid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.uid\"}}},{\"count\":0,\"name\":\"data.osquery.columns.user_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.user_time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.user_time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.uuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.uuid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.uuid\"}}},{\"count\":0,\"name\":\"data.osquery.columns.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.value\"}}},{\"count\":0,\"name\":\"data.osquery.columns.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.version\"}}},{\"count\":0,\"name\":\"data.osquery.columns.wall_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.wall_time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.wall_time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.watcher\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.watcher\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.watcher\"}}},{\"count\":0,\"name\":\"data.osquery.counter\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.counter\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.counter\"}}},{\"count\":0,\"name\":\"data.osquery.epoch\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.epoch\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.epoch\"}}},{\"count\":0,\"name\":\"data.osquery.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.name\"}}},{\"count\":0,\"name\":\"data.osquery.pack\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.pack\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.pack\"}}},{\"count\":0,\"name\":\"data.osquery.subquery\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.subquery\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.subquery\"}}},{\"count\":0,\"name\":\"data.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.protocol\"}}},{\"count\":0,\"name\":\"data.scope\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.scope\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.scope\"}}},{\"count\":0,\"name\":\"data.srcip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.srcip\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.srcip\"}}},{\"count\":0,\"name\":\"data.srcport\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.srcport\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.srcport\"}}},{\"count\":0,\"name\":\"data.srcuser\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.srcuser\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.srcuser\"}}},{\"count\":0,\"name\":\"data.status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.status\"}}},{\"count\":0,\"name\":\"data.system_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.system_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.system_name\"}}},{\"count\":0,\"name\":\"data.time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.time\"}}},{\"count\":0,\"name\":\"data.timeNano\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.timeNano\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.timeNano\"}}},{\"count\":0,\"name\":\"data.title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.title\"}}},{\"count\":0,\"name\":\"data.tty\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.tty\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.tty\"}}},{\"count\":0,\"name\":\"data.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.type\"}}},{\"count\":0,\"name\":\"data.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.uid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.uid\"}}},{\"count\":0,\"name\":\"data.url\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.url\"}}},{\"count\":0,\"name\":\"data.virustotal.found\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.found\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.found\"}}},{\"count\":0,\"name\":\"data.virustotal.malicious\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.virustotal.permalink\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.permalink\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.permalink\"}}},{\"count\":0,\"name\":\"data.virustotal.positives\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.positives\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.positives\"}}},{\"count\":0,\"name\":\"data.virustotal.scan_date\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.virustotal.source.alert_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.source.alert_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.source.alert_id\"}}},{\"count\":0,\"name\":\"data.virustotal.source.file\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.source.file\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.source.file\"}}},{\"count\":0,\"name\":\"data.virustotal.source.md5\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.source.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.source.md5\"}}},{\"count\":0,\"name\":\"data.virustotal.source.sha1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.source.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.source.sha1\"}}},{\"count\":0,\"name\":\"data.virustotal.total\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.total\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.total\"}}},{\"count\":0,\"name\":\"data.vulnerability.assigner\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.assigner\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.assigner\"}}},{\"count\":0,\"name\":\"data.vulnerability.bugzilla_references\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.bugzilla_references\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.bugzilla_references\"}}},{\"count\":0,\"name\":\"data.vulnerability.cve\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cve\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cve\"}}},{\"count\":0,\"name\":\"data.vulnerability.cve_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cve_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cve_version\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.base_score\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.base_score\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.base_score\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.access_complexity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.access_complexity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.vector.access_complexity\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.attack_vector\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.attack_vector\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.vector.attack_vector\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.authentication\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.authentication\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.vector.authentication\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.availability\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.availability\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.vector.availability\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.confidentiality_impact\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.confidentiality_impact\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.vector.confidentiality_impact\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.integrity_impact\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.integrity_impact\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.vector.integrity_impact\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.base_score\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.base_score\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.base_score\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.access_complexity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.access_complexity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.access_complexity\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.attack_vector\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.attack_vector\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.attack_vector\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.availability\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.availability\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.availability\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.confidentiality_impact\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.confidentiality_impact\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.confidentiality_impact\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.integrity_impact\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.integrity_impact\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.integrity_impact\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.privileges_required\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.privileges_required\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.privileges_required\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.scope\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.scope\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.scope\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.user_interaction\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.user_interaction\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.user_interaction\"}}},{\"count\":0,\"name\":\"data.vulnerability.cwe_reference\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cwe_reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cwe_reference\"}}},{\"count\":0,\"name\":\"data.vulnerability.package.architecture\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.package.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.package.architecture\"}}},{\"count\":0,\"name\":\"data.vulnerability.package.condition\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.package.condition\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.package.condition\"}}},{\"count\":0,\"name\":\"data.vulnerability.package.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.package.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.package.name\"}}},{\"count\":0,\"name\":\"data.vulnerability.package.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.package.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.package.source\"}}},{\"count\":0,\"name\":\"data.vulnerability.package.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.package.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.package.version\"}}},{\"count\":0,\"name\":\"data.vulnerability.published\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.vulnerability.rationale\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.rationale\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.rationale\"}}},{\"count\":0,\"name\":\"data.vulnerability.references\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.references\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.references\"}}},{\"count\":0,\"name\":\"data.vulnerability.severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.severity\"}}},{\"count\":0,\"name\":\"data.vulnerability.state\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.state\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.state\"}}},{\"count\":0,\"name\":\"data.vulnerability.title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.title\"}}},{\"count\":0,\"name\":\"data.vulnerability.updated\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.win.eventdata.authenticationPackageName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.authenticationPackageName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.authenticationPackageName\"}}},{\"count\":0,\"name\":\"data.win.eventdata.failureReason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.failureReason\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.failureReason\"}}},{\"count\":0,\"name\":\"data.win.eventdata.ipAddress\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.ipAddress\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.ipAddress\"}}},{\"count\":0,\"name\":\"data.win.eventdata.ipPort\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.ipPort\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.ipPort\"}}},{\"count\":0,\"name\":\"data.win.eventdata.keyLength\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.win.eventdata.logonProcessName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.logonProcessName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.logonProcessName\"}}},{\"count\":0,\"name\":\"data.win.eventdata.logonType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.logonType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.logonType\"}}},{\"count\":0,\"name\":\"data.win.eventdata.processId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.processId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.processId\"}}},{\"count\":0,\"name\":\"data.win.eventdata.status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.status\"}}},{\"count\":0,\"name\":\"data.win.eventdata.subStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.subStatus\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.subStatus\"}}},{\"count\":0,\"name\":\"data.win.eventdata.subjectLogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.subjectLogonId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.subjectLogonId\"}}},{\"count\":0,\"name\":\"data.win.eventdata.subjectUserSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.subjectUserSid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.subjectUserSid\"}}},{\"count\":0,\"name\":\"data.win.eventdata.targetUserName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.targetUserName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.targetUserName\"}}},{\"count\":0,\"name\":\"data.win.system.channel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.channel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.channel\"}}},{\"count\":0,\"name\":\"data.win.system.computer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.computer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.computer\"}}},{\"count\":0,\"name\":\"data.win.system.eventID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.eventID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.eventID\"}}},{\"count\":0,\"name\":\"data.win.system.eventRecordID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.eventRecordID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.eventRecordID\"}}},{\"count\":0,\"name\":\"data.win.systems\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.systems\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.systems\"}}},{\"count\":0,\"name\":\"data.win.system.level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.level\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.level\"}}},{\"count\":0,\"name\":\"data.win.system.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.message\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.message\"}}},{\"count\":0,\"name\":\"data.win.system.opcode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.opcode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.opcode\"}}},{\"count\":0,\"name\":\"data.win.system.processID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.processID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.processID\"}}},{\"count\":0,\"name\":\"data.win.system.providerGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.providerGuid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.providerGuid\"}}},{\"count\":0,\"name\":\"data.win.system.providerName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.providerName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.providerName\"}}},{\"count\":0,\"name\":\"data.win.system.severityValue\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.severityValue\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.severityValue\"}}},{\"count\":0,\"name\":\"data.win.system.systemTime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.win.system.task\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.task\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.task\"}}},{\"count\":0,\"name\":\"data.win.system.threadID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.threadID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.threadID\"}}},{\"count\":0,\"name\":\"data.win.system.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.version\"}}},{\"count\":0,\"name\":\"decoder.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"decoder.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"decoder.name\"}}},{\"count\":0,\"name\":\"decoder.parent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"decoder.parent\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"decoder.parent\"}}},{\"count\":0,\"name\":\"event.original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.original\"}}},{\"count\":0,\"name\":\"fields.timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"full_log\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"full_log\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"full_log\"}}},{\"count\":0,\"name\":\"host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"host\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host\"}}},{\"count\":0,\"name\":\"id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"id\"}}},{\"count\":0,\"name\":\"input.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"input.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"input.type\"}}},{\"count\":0,\"name\":\"location\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"location\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"location\"}}},{\"count\":0,\"name\":\"manager.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"manager.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"manager.name\"}}},{\"count\":0,\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"count\":0,\"name\":\"path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"path\"}}},{\"count\":0,\"name\":\"predecoder.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"predecoder.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"predecoder.hostname\"}}},{\"count\":0,\"name\":\"predecoder.program_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"predecoder.program_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"predecoder.program_name\"}}},{\"count\":0,\"name\":\"predecoder.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"predecoder.timestamp\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"predecoder.timestamp\"}}},{\"count\":0,\"name\":\"previous_output\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"previous_output\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"previous_output\"}}},{\"count\":0,\"name\":\"rule.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.description\"}}},{\"count\":0,\"name\":\"rule.details.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.category\"}}},{\"count\":0,\"name\":\"rule.details.decoded_as\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.decoded_as\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.decoded_as\"}}},{\"count\":0,\"name\":\"rule.details.frequency\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.frequency\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.frequency\"}}},{\"count\":0,\"name\":\"rule.details.group\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.group\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.group\"}}},{\"count\":0,\"name\":\"rule.details.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.hostname\"}}},{\"count\":0,\"name\":\"rule.details.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.id\"}}},{\"count\":0,\"name\":\"rule.details.if_fts\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.if_fts\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.if_fts\"}}},{\"count\":0,\"name\":\"rule.details.if_matched_sid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.if_matched_sid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.if_matched_sid\"}}},{\"count\":0,\"name\":\"rule.details.if_sid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.if_sid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.if_sid\"}}},{\"count\":0,\"name\":\"rule.details.ignore\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.ignore\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.ignore\"}}},{\"count\":0,\"name\":\"rule.details.match\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.match\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.match\"}}},{\"count\":0,\"name\":\"rule.details.maxsize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.maxsize\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.maxsize\"}}},{\"count\":0,\"name\":\"rule.details.noalert\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.noalert\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.noalert\"}}},{\"count\":0,\"name\":\"rule.details.regex\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.regex\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.regex\"}}},{\"count\":0,\"name\":\"rule.details.same_source_ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.same_source_ip\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.same_source_ip\"}}},{\"count\":0,\"name\":\"rule.details.timeframe\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.timeframe\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.timeframe\"}}},{\"count\":0,\"name\":\"rule.details.user\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.user\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.user\"}}},{\"count\":0,\"name\":\"rule.filename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.filename\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.filename\"}}},{\"count\":0,\"name\":\"rule.firedtimes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.frequency\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.gdpr\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.gdpr\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.gdpr\"}}},{\"count\":0,\"name\":\"rule.gpg13\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.gpg13\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.gpg13\"}}},{\"count\":0,\"name\":\"rule.groups\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.groups\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.groups\"}}},{\"count\":0,\"name\":\"rule.hipaa\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.hipaa\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.hipaa\"}}},{\"count\":0,\"name\":\"rule.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.id\"}}},{\"count\":0,\"name\":\"rule.info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.info\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.info\"}}},{\"count\":0,\"name\":\"rule.level\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.mail\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.mitre.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.mitre.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.mitre.id\"}}},{\"count\":0,\"name\":\"rule.mitre.tactic\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.mitre.tactic\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.mitre.tactic\"}}},{\"count\":0,\"name\":\"rule.mitre.technique\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.mitre.technique\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.mitre.technique\"}}},{\"count\":0,\"name\":\"rule.nist_800_53\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.nist_800_53\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.nist_800_53\"}}},{\"count\":0,\"name\":\"rule.pci\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.pci\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.pci\"}}},{\"count\":0,\"name\":\"rule.pci_dss\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.pci_dss\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.pci_dss\"}}},{\"count\":0,\"name\":\"rule.relative_dirname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.relative_dirname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.relative_dirname\"}}},{\"count\":0,\"name\":\"rule.status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.status\"}}},{\"count\":0,\"name\":\"rule.tsc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.tsc\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.tsc\"}}},{\"count\":0,\"name\":\"syscheck.audit.effective_user.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.audit.effective_user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.audit.effective_user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.audit.effective_user.name\"}}},{\"count\":0,\"name\":\"syscheck.audit.group.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.audit.group.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.audit.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.audit.group.name\"}}},{\"count\":0,\"name\":\"syscheck.audit.process.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.audit.process.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.audit.process.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.audit.process.name\"}}},{\"count\":0,\"name\":\"syscheck.audit.process.ppid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.audit.user.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.audit.user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.audit.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.audit.user.name\"}}},{\"count\":0,\"name\":\"syscheck.changed_attributes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.changed_attributes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.changed_attributes\"}}},{\"count\":0,\"name\":\"syscheck.event\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.event\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.event\"}}},{\"count\":0,\"name\":\"syscheck.gid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.gid_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.gid_after\"}}},{\"count\":0,\"name\":\"syscheck.gname_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.gname_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.gname_after\"}}},{\"count\":0,\"name\":\"syscheck.inode_after\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.inode_before\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.md5_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.md5_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.md5_after\"}}},{\"count\":0,\"name\":\"syscheck.mtime_after\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.mtime_before\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.path\"}}},{\"count\":0,\"name\":\"syscheck.perm_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.perm_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.perm_after\"}}},{\"count\":0,\"name\":\"syscheck.sha1_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.sha1_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.sha1_after\"}}},{\"count\":0,\"name\":\"syscheck.sha256_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.sha256_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.sha256_after\"}}},{\"count\":0,\"name\":\"syscheck.size_after\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.tags\"}}},{\"count\":0,\"name\":\"syscheck.uid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.uid_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.uid_after\"}}},{\"count\":0,\"name\":\"syscheck.uname_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.uname_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.uname_after\"}}},{\"count\":0,\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}},{\"count\":0,\"name\":\"timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]","timeFieldName":"timestamp","title":"wazuh-alerts-4.x*"},"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2023-04-25T12:32:41.780Z","version":"WzEsMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Events by source over time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Events by source over time\",\"type\":\"area\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.aws.source\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"area\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"interpolate\":\"cardinal\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"left\",\"times\":[],\"addTimeMarker\":false,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"labels\":{}}}"},"id":"af813ab0-c74b-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzIsMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sources","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sources\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.aws.source\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}"},"id":"bf8f2f20-c74b-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzMsMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Events","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Events\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"count\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.aws.source\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.aws.source\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.description\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.description\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.level\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"06ecaf50-c74c-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzQsMV0="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"2.6.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":31,\"h\":15,\"i\":\"0924fcf8-b0d4-4f61-8f3a-da19850bc9d1\"},\"panelIndex\":\"0924fcf8-b0d4-4f61-8f3a-da19850bc9d1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.6.0\",\"gridData\":{\"x\":31,\"y\":0,\"w\":17,\"h\":15,\"i\":\"38fdffd3-ddbf-4d98-9904-877c98ecfa1b\"},\"panelIndex\":\"38fdffd3-ddbf-4d98-9904-877c98ecfa1b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"2.6.0\",\"gridData\":{\"x\":0,\"y\":15,\"w\":48,\"h\":15,\"i\":\"7930046b-8b17-4906-a0fe-ba2cc3ae9f15\"},\"panelIndex\":\"7930046b-8b17-4906-a0fe-ba2cc3ae9f15\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"}]","timeRestore":false,"title":"wazuh-amazon-aws-v1.0","version":1},"id":"d9881710-c74c-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"af813ab0-c74b-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"bf8f2f20-c74b-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"06ecaf50-c74c-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzUsMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top 5 events","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Top 5 events\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.docker.Action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}"},"id":"6987a560-c74d-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzYsMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Events by source over time - Docker","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Events by source over time - Docker\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-7d\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.docker.Type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"},"id":"ad3b5770-c74d-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzcsMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Events - Docker","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Events - Docker\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"count\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.docker.Type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.docker.type\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.docker.Actor.ID\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.docker.actor.id\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.docker.Action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.docker.action\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.description\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.description\"},\"schema\":\"bucket\"},{\"id\":\"8\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.level\"},\"schema\":\"bucket\"},{\"id\":\"9\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"row\":true}}"},"id":"199c8ce0-c74e-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzgsMV0="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"0d9f05f5-49cc-46cd-8855-b9540d3fa606\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"0d9f05f5-49cc-46cd-8855-b9540d3fa606\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"a0d416d1-138e-41be-9576-79feedb9109b\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"a0d416d1-138e-41be-9576-79feedb9109b\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"d1117074-306a-4615-94f2-3b60602cb5a7\",\"w\":48,\"x\":0,\"y\":15},\"panelIndex\":\"d1117074-306a-4615-94f2-3b60602cb5a7\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_2\"}]","timeRestore":false,"title":"wazuh-docker-listener-v1.0","version":1},"id":"38d43040-c74e-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"6987a560-c74d-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"ad3b5770-c74d-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"199c8ce0-c74e-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzksMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Alert groups","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Alert groups\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.groups\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}"},"id":"a8a6e5c0-c74e-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzEwLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Events - Incident response","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Events - Incident response\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"rule.groups:audit\",\"language\":\"lucene\"},\"label\":\"audit\"},{\"input\":{\"query\":\"rule.groups:audit_command\",\"language\":\"lucene\"},\"label\":\"audit_command\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"},"id":"52998510-c74f-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzExLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Incident response","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Incident response\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"count\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.groups\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.groups\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.description\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.description\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.level\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"a3b734b0-c74f-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzEyLDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"3507da76-6874-4aa3-8968-3e0ddd11aa19\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"3507da76-6874-4aa3-8968-3e0ddd11aa19\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"b0a18b5d-447b-4e88-acd2-e14d22289a28\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"b0a18b5d-447b-4e88-acd2-e14d22289a28\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":13,\"i\":\"05aa4c38-33a5-4fec-a35a-e0bb200679c1\",\"w\":48,\"x\":0,\"y\":15},\"panelIndex\":\"05aa4c38-33a5-4fec-a35a-e0bb200679c1\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_2\"}]","timeRestore":false,"title":"wazuh-incident-response-v1.0","version":1},"id":"f70272b0-c74f-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"a8a6e5c0-c74e-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"52998510-c74f-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"a3b734b0-c74f-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzEzLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Critical severity alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Critical severity alerts\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Critical Severity Alerts\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"data.vulnerability.severity:Critical\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":1},{\"from\":1,\"to\":2},{\"from\":2,\"to\":3}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"f578e750-c761-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzE0LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"High Severity Alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"High Severity Alerts\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"High Severity Alerts\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"data.vulnerability.severity:High\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Blues\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":1},{\"from\":1,\"to\":2},{\"from\":2,\"to\":3}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"2f6e17a0-c762-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzE1LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Medium Severity Alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Medium Severity Alerts\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Medium Severity Alerts\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"data.vulnerability.severity:Medium\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Greens\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":1},{\"from\":1,\"to\":2},{\"from\":2,\"to\":3}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"3e23cf10-c762-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzE2LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Alert severity","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Alert severity\",\"type\":\"area\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.vulnerability.severity\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"area\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"interpolate\":\"cardinal\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"labels\":{}}}"},"id":"6191a210-c762-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzE3LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Low Severity Alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Low Severity Alerts\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Low Severity Alerts\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"data.vulnerability.severity:Low\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Greys\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":1},{\"from\":1,\"to\":2},{\"from\":2,\"to\":3}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60},\"outline\":true}}}"},"id":"456d3220-c762-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzE4LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Vulnerabilities heat map","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Vulnerabilities heat map\",\"type\":\"heatmap\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.vulnerability.severity\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"heatmap\",\"addTooltip\":true,\"addLegend\":true,\"enableHover\":false,\"legendPosition\":\"right\",\"times\":[],\"colorsNumber\":4,\"colorSchema\":\"Greens\",\"setColorRange\":false,\"colorsRange\":[],\"invertColors\":false,\"percentageMode\":false,\"valueAxes\":[{\"show\":false,\"id\":\"ValueAxis-1\",\"type\":\"value\",\"scale\":{\"type\":\"linear\",\"defaultYExtents\":false},\"labels\":{\"show\":false,\"rotate\":0,\"overwriteColor\":false,\"color\":\"black\"}}]}}"},"id":"4458bf70-c763-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzE5LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Vulnerabilities events","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Vulnerabilities events\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.vulnerability.cve\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.vulnerability.cve\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.vulnerability.package.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.vulnerability.package.name\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.vulnerability.package.version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.vulnerability.package.version\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.vulnerability.severity\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.vulnerability.severity\"},\"schema\":\"bucket\"},{\"id\":\"8\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"d38ba460-c762-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzIwLDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":8,\"i\":\"c4678c05-c58e-498f-9fb8-86b670931003\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"c4678c05-c58e-498f-9fb8-86b670931003\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":8,\"i\":\"594ca739-c190-471b-b2b6-22e69c233d1b\",\"w\":8,\"x\":16,\"y\":0},\"panelIndex\":\"594ca739-c190-471b-b2b6-22e69c233d1b\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":8,\"i\":\"d01a6629-e443-49cf-91a3-c5638aff61bd\",\"w\":8,\"x\":24,\"y\":0},\"panelIndex\":\"d01a6629-e443-49cf-91a3-c5638aff61bd\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"bd0de8bc-0485-449e-9855-59aedd50bc43\",\"w\":24,\"x\":0,\"y\":8},\"panelIndex\":\"bd0de8bc-0485-449e-9855-59aedd50bc43\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":8,\"i\":\"c0bdf80f-5074-40b7-afe5-f08a5e9c3014\",\"w\":8,\"x\":32,\"y\":0},\"panelIndex\":\"c0bdf80f-5074-40b7-afe5-f08a5e9c3014\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":15,\"i\":\"7fa7010e-6f7c-47ab-88dd-4bb2233779d0\",\"w\":24,\"x\":24,\"y\":8},\"panelIndex\":\"7fa7010e-6f7c-47ab-88dd-4bb2233779d0\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{\"hidePanelTitles\":false,\"title\":\"Events\"},\"gridData\":{\"h\":16,\"i\":\"75d0531f-26fe-4436-a32d-b043b362e701\",\"w\":48,\"x\":0,\"y\":23},\"panelIndex\":\"75d0531f-26fe-4436-a32d-b043b362e701\",\"title\":\"Events\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"wazuh-vulnerabilities-v1.0","version":1},"id":"4e776290-c763-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"f578e750-c761-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"2f6e17a0-c762-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"3e23cf10-c762-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"},{"id":"6191a210-c762-11ed-a68b-6f8500ccee6f","name":"panel_3","type":"visualization"},{"id":"456d3220-c762-11ed-a68b-6f8500ccee6f","name":"panel_4","type":"visualization"},{"id":"4458bf70-c763-11ed-a68b-6f8500ccee6f","name":"panel_5","type":"visualization"},{"id":"d38ba460-c762-11ed-a68b-6f8500ccee6f","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzIxLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Total alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Total alerts\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Total\"},\"schema\":\"metric\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":true,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Blues\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":50},{\"from\":50,\"to\":75},{\"from\":75,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"6e52b9a0-c75b-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzIyLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Level 12 or above alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Level 12 or above alerts\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Level 12 alerts\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"rule.level:[12 TO *]\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"vertical\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Yellow to Red\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":1},{\"from\":1,\"to\":2},{\"from\":2,\"to\":3}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"53c84aa0-c75b-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzIzLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Authentication failure","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Authentication failure\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Authentication failure\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"rule.groups:authentication_failed OR rule.groups:win_authentication_failed OR rule.groups:authentication_failures\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":50},{\"from\":50,\"to\":75},{\"from\":75,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"bdd13830-c75b-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzI0LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Authentication success","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Authentication success\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Authentication success\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"rule.groups:authentication_success\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Greens\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":1},{\"from\":1,\"to\":2},{\"from\":2,\"to\":3}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"fe649770-c75b-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzI1LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Alert level evolution","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Alert level evolution\",\"type\":\"area\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"labels\":{}}}"},"id":"2911c5f0-c75d-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzI2LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top MITRE ATT&CKS","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Top MITRE ATT&CKS\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.mitre.technique\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}"},"id":"0ce036a0-c75d-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzI3LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security alerts main","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security alerts main\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.mitre.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.mitre.id\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.mitre.tactic\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.mitre.tactic\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.description\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.description\"},\"schema\":\"bucket\"},{\"id\":\"8\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.level\"},\"schema\":\"bucket\"},{\"id\":\"9\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"8d9dc120-c75f-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzI4LDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"2.6.0\",\"gridData\":{\"h\":7,\"i\":\"e44a9c01-a2c9-438b-a154-96371c1e2891\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"e44a9c01-a2c9-438b-a154-96371c1e2891\",\"embeddableConfig\":{\"vis\":null},\"panelRefName\":\"panel_0\"},{\"version\":\"2.6.0\",\"gridData\":{\"h\":7,\"i\":\"097d0314-72ee-4cfb-8a0b-b5a61fd76065\",\"w\":8,\"x\":16,\"y\":0},\"panelIndex\":\"097d0314-72ee-4cfb-8a0b-b5a61fd76065\",\"embeddableConfig\":{\"vis\":null},\"panelRefName\":\"panel_1\"},{\"version\":\"2.6.0\",\"gridData\":{\"h\":7,\"i\":\"1e0deab6-69be-4a8b-8945-9e52bc285425\",\"w\":8,\"x\":24,\"y\":0},\"panelIndex\":\"1e0deab6-69be-4a8b-8945-9e52bc285425\",\"embeddableConfig\":{\"vis\":null},\"panelRefName\":\"panel_2\"},{\"version\":\"2.6.0\",\"gridData\":{\"h\":7,\"i\":\"54fc31bf-4bf5-4433-be5e-cd4c60862cea\",\"w\":8,\"x\":32,\"y\":0},\"panelIndex\":\"54fc31bf-4bf5-4433-be5e-cd4c60862cea\",\"embeddableConfig\":{\"vis\":null},\"panelRefName\":\"panel_3\"},{\"version\":\"2.6.0\",\"gridData\":{\"h\":14,\"i\":\"7ed5bb88-5819-4b2b-8989-8e8a7cc0424e\",\"w\":32,\"x\":0,\"y\":7},\"panelIndex\":\"7ed5bb88-5819-4b2b-8989-8e8a7cc0424e\",\"embeddableConfig\":{\"title\":\"Alert level evolution - Top 5 agents\",\"hidePanelTitles\":false},\"title\":\"Alert level evolution - Top 5 agents\",\"panelRefName\":\"panel_4\"},{\"version\":\"2.6.0\",\"gridData\":{\"h\":14,\"i\":\"fd99c43a-4b02-47b8-b89f-9e1aaf56d158\",\"w\":16,\"x\":32,\"y\":7},\"panelIndex\":\"fd99c43a-4b02-47b8-b89f-9e1aaf56d158\",\"embeddableConfig\":{\"title\":\"Top Mitre ATT&K tactics\",\"hidePanelTitles\":false},\"title\":\"Top Mitre ATT&K tactics\",\"panelRefName\":\"panel_5\"},{\"version\":\"2.6.0\",\"gridData\":{\"h\":18,\"i\":\"a30fe8ed-edb1-4531-9735-7e5fe8dfb61b\",\"w\":48,\"x\":0,\"y\":21},\"panelIndex\":\"a30fe8ed-edb1-4531-9735-7e5fe8dfb61b\",\"embeddableConfig\":{\"title\":\"Security alerts\",\"hidePanelTitles\":false},\"title\":\"Security alerts\",\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"wazuh-security-events-v1.0","version":1},"id":"a22b3850-c761-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"6e52b9a0-c75b-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"53c84aa0-c75b-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"bdd13830-c75b-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"},{"id":"fe649770-c75b-11ed-a68b-6f8500ccee6f","name":"panel_3","type":"visualization"},{"id":"2911c5f0-c75d-11ed-a68b-6f8500ccee6f","name":"panel_4","type":"visualization"},{"id":"0ce036a0-c75d-11ed-a68b-6f8500ccee6f","name":"panel_5","type":"visualization"},{"id":"8d9dc120-c75f-11ed-a68b-6f8500ccee6f","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzI5LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Emotet malware activity","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Emotet malware activity\",\"type\":\"area\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"rule.groups:\\\"rootcheck\\\"\",\"language\":\"kuery\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\",\"setYExtents\":false,\"defaultYExtents\":false},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"area\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"labels\":{}}}"},"id":"432de3c0-c752-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzMwLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Rootkits activity over time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Rootkits activity over time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.title\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":3,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"},"id":"a7146210-c752-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzMxLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security alerts\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"count\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"8\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.mitre.technique\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.mitre.tactic\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.mitre.tactic\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.level\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.description\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.description\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"eb787860-c752-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzMyLDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"4653581e-fa04-47ea-a762-e404e5fab8d1\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"4653581e-fa04-47ea-a762-e404e5fab8d1\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"0b6caedd-1e6e-4a5d-8904-13343c868083\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"0b6caedd-1e6e-4a5d-8904-13343c868083\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"ad008586-6a43-4c7b-8a41-93a85d40ee6f\",\"w\":48,\"x\":0,\"y\":15},\"panelIndex\":\"ad008586-6a43-4c7b-8a41-93a85d40ee6f\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_2\"}]","timeRestore":false,"title":"wazuh-malware-detection-v1.0","version":1},"id":"f5c5a590-c752-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"432de3c0-c752-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"a7146210-c752-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"eb787860-c752-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzMzLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"PCI DSS requirements","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"PCI DSS requirements\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"radius\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.pci_dss\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":false,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"radiusRatio\":50}}"},"id":"e9144240-c755-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzM0LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Requirements by agent","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Requirements by agent\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.pci_dss\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Requirements\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"},"id":"300f7e30-c756-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzM1LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Recent events - PCI DSS","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Recent events - PCI DSS\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"count\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.pci_dss\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.pci_dss\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.description\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.description\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.level\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"767e3190-c756-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzM2LDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"c9e8317f-c49c-4dbc-ae0b-8a7ad4e29f01\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"c9e8317f-c49c-4dbc-ae0b-8a7ad4e29f01\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"910f3189-2b70-402b-a1b6-92192307122f\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"910f3189-2b70-402b-a1b6-92192307122f\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":17,\"i\":\"7e59bccf-af12-4898-8165-ef9ff2bec6de\",\"w\":48,\"x\":0,\"y\":15},\"panelIndex\":\"7e59bccf-af12-4898-8165-ef9ff2bec6de\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_2\"}]","timeRestore":false,"title":"wazuh-pci-dss-v1.0","version":1},"id":"7f10dd80-c756-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"e9144240-c755-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"300f7e30-c756-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"767e3190-c756-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzM3LDFd"} -{"exportedCount":37,"missingRefCount":0,"missingReferences":[]} diff --git a/integrations/opensearch/logstash/pipeline/indexer-to-opensearch.conf b/integrations/opensearch/logstash/pipeline/indexer-to-opensearch.conf deleted file mode 100644 index 74d88ae5428f7..0000000000000 --- a/integrations/opensearch/logstash/pipeline/indexer-to-opensearch.conf +++ /dev/null @@ -1,38 +0,0 @@ -input { - opensearch { - hosts => ["wazuh.indexer:9200"] - user => "admin" - password => "admin" - index => "wazuh-alerts-4.x-*" - ssl => true - ca_file => "/etc/ssl/root-ca.pem" - query => '{ - "query": { - "range": { - "@timestamp": { - "gt": "now-1m" - } - } - } - }' - schedule => "* * * * *" - } -} -output { - opensearch { - hosts => ["opensearch.node:9200"] - auth_type => { - type => 'basic' - user => 'admin' - password => 'admin' - } - index => "wazuh-alerts-4.x-%{+YYYY.MM.dd}" - ssl => true - cacert => "/etc/ssl/root-ca.pem" - template => '/usr/share/logstash/pipeline/os_template.json' - template_name => 'wazuh' - template_overwrite => true - legacy_template => false - } -} - diff --git a/integrations/opensearch/logstash/pipeline/os_template.json b/integrations/opensearch/logstash/pipeline/os_template.json deleted file mode 100644 index 1fee33afc4da8..0000000000000 --- a/integrations/opensearch/logstash/pipeline/os_template.json +++ /dev/null @@ -1,2039 +0,0 @@ -{ - "index_patterns": "wazuh-*", - "template": { - "settings": { - "index": { - "routing": { - "allocation": { - "include": { - "_tier_preference": "data_content" - } - } - }, - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "refresh_interval": "5s", - "number_of_shards": "3", - "auto_expand_replicas": "0-1", - "query": { - "default_field": [ - "GeoLocation.city_name", - "GeoLocation.continent_code", - "GeoLocation.country_code2", - "GeoLocation.country_code3", - "GeoLocation.country_name", - "GeoLocation.ip", - "GeoLocation.postal_code", - "GeoLocation.real_region_name", - "GeoLocation.region_name", - "GeoLocation.timezone", - "agent.id", - "agent.ip", - "agent.name", - "cluster.name", - "cluster.node", - "command", - "data", - "data.action", - "data.audit", - "data.audit.acct", - "data.audit.arch", - "data.audit.auid", - "data.audit.command", - "data.audit.cwd", - "data.audit.dev", - "data.audit.directory.inode", - "data.audit.directory.mode", - "data.audit.directory.name", - "data.audit.egid", - "data.audit.enforcing", - "data.audit.euid", - "data.audit.exe", - "data.audit.execve.a0", - "data.audit.execve.a1", - "data.audit.execve.a2", - "data.audit.execve.a3", - "data.audit.exit", - "data.audit.file.inode", - "data.audit.file.mode", - "data.audit.file.name", - "data.audit.fsgid", - "data.audit.fsuid", - "data.audit.gid", - "data.audit.id", - "data.audit.key", - "data.audit.list", - "data.audit.old-auid", - "data.audit.old-ses", - "data.audit.old_enforcing", - "data.audit.old_prom", - "data.audit.op", - "data.audit.pid", - "data.audit.ppid", - "data.audit.prom", - "data.audit.res", - "data.audit.session", - "data.audit.sgid", - "data.audit.srcip", - "data.audit.subj", - "data.audit.success", - "data.audit.suid", - "data.audit.syscall", - "data.audit.tty", - "data.audit.uid", - "data.aws.accountId", - "data.aws.account_id", - "data.aws.action", - "data.aws.actor", - "data.aws.aws_account_id", - "data.aws.description", - "data.aws.dstport", - "data.aws.errorCode", - "data.aws.errorMessage", - "data.aws.eventID", - "data.aws.eventName", - "data.aws.eventSource", - "data.aws.eventType", - "data.aws.id", - "data.aws.name", - "data.aws.requestParameters.accessKeyId", - "data.aws.requestParameters.bucketName", - "data.aws.requestParameters.gatewayId", - "data.aws.requestParameters.groupDescription", - "data.aws.requestParameters.groupId", - "data.aws.requestParameters.groupName", - "data.aws.requestParameters.host", - "data.aws.requestParameters.hostedZoneId", - "data.aws.requestParameters.instanceId", - "data.aws.requestParameters.instanceProfileName", - "data.aws.requestParameters.loadBalancerName", - "data.aws.requestParameters.loadBalancerPorts", - "data.aws.requestParameters.masterUserPassword", - "data.aws.requestParameters.masterUsername", - "data.aws.requestParameters.name", - "data.aws.requestParameters.natGatewayId", - "data.aws.requestParameters.networkAclId", - "data.aws.requestParameters.path", - "data.aws.requestParameters.policyName", - "data.aws.requestParameters.port", - "data.aws.requestParameters.stackId", - "data.aws.requestParameters.stackName", - "data.aws.requestParameters.subnetId", - "data.aws.requestParameters.subnetIds", - "data.aws.requestParameters.volumeId", - "data.aws.requestParameters.vpcId", - "data.aws.resource.accessKeyDetails.accessKeyId", - "data.aws.resource.accessKeyDetails.principalId", - "data.aws.resource.accessKeyDetails.userName", - "data.aws.resource.instanceDetails.instanceId", - "data.aws.resource.instanceDetails.instanceState", - "data.aws.resource.instanceDetails.networkInterfaces.privateDnsName", - "data.aws.resource.instanceDetails.networkInterfaces.publicDnsName", - "data.aws.resource.instanceDetails.networkInterfaces.subnetId", - "data.aws.resource.instanceDetails.networkInterfaces.vpcId", - "data.aws.resource.instanceDetails.tags.value", - "data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId", - "data.aws.responseElements.description", - "data.aws.responseElements.instanceId", - "data.aws.responseElements.instances.instanceId", - "data.aws.responseElements.instancesSet.items.instanceId", - "data.aws.responseElements.listeners.port", - "data.aws.responseElements.loadBalancerName", - "data.aws.responseElements.loadBalancers.vpcId", - "data.aws.responseElements.loginProfile.userName", - "data.aws.responseElements.networkAcl.vpcId", - "data.aws.responseElements.ownerId", - "data.aws.responseElements.publicIp", - "data.aws.responseElements.user.userId", - "data.aws.responseElements.user.userName", - "data.aws.responseElements.volumeId", - "data.aws.service.serviceName", - "data.aws.severity", - "data.aws.source", - "data.aws.sourceIPAddress", - "data.aws.srcport", - "data.aws.userIdentity.accessKeyId", - "data.aws.userIdentity.accountId", - "data.aws.userIdentity.userName", - "data.aws.vpcEndpointId", - "data.command", - "data.data", - "data.docker.Actor.Attributes.container", - "data.docker.Actor.Attributes.image", - "data.docker.Actor.Attributes.name", - "data.docker.Actor.ID", - "data.docker.id", - "data.docker.message", - "data.docker.status", - "data.dstip", - "data.dstport", - "data.dstuser", - "data.extra_data", - "data.hardware.serial", - "data.id", - "data.integration", - "data.netinfo.iface.adapter", - "data.netinfo.iface.ipv4.address", - "data.netinfo.iface.ipv6.address", - "data.netinfo.iface.mac", - "data.netinfo.iface.name", - "data.os.architecture", - "data.os.build", - "data.os.codename", - "data.os.hostname", - "data.os.major", - "data.os.minor", - "data.os.name", - "data.os.platform", - "data.os.release", - "data.os.release_version", - "data.os.sysname", - "data.os.version", - "data.oscap.check.description", - "data.oscap.check.id", - "data.oscap.check.identifiers", - "data.oscap.check.oval.id", - "data.oscap.check.rationale", - "data.oscap.check.references", - "data.oscap.check.result", - "data.oscap.check.severity", - "data.oscap.check.title", - "data.oscap.scan.benchmark.id", - "data.oscap.scan.content", - "data.oscap.scan.id", - "data.oscap.scan.profile.id", - "data.oscap.scan.profile.title", - "data.osquery.columns.address", - "data.osquery.columns.command", - "data.osquery.columns.description", - "data.osquery.columns.dst_ip", - "data.osquery.columns.gid", - "data.osquery.columns.hostname", - "data.osquery.columns.md5", - "data.osquery.columns.path", - "data.osquery.columns.sha1", - "data.osquery.columns.sha256", - "data.osquery.columns.src_ip", - "data.osquery.columns.user", - "data.osquery.columns.username", - "data.osquery.name", - "data.osquery.pack", - "data.port.process", - "data.port.protocol", - "data.port.state", - "data.process.args", - "data.process.cmd", - "data.process.egroup", - "data.process.euser", - "data.process.fgroup", - "data.process.name", - "data.process.rgroup", - "data.process.ruser", - "data.process.sgroup", - "data.process.state", - "data.process.suser", - "data.program.architecture", - "data.program.description", - "data.program.format", - "data.program.location", - "data.program.multiarch", - "data.program.name", - "data.program.priority", - "data.program.section", - "data.program.source", - "data.program.vendor", - "data.program.version", - "data.protocol", - "data.pwd", - "data.sca", - "data.sca.check.compliance.cis", - "data.sca.check.compliance.cis_csc", - "data.sca.check.compliance.pci_dss", - "data.sca.check.compliance.hipaa", - "data.sca.check.compliance.nist_800_53", - "data.sca.check.description", - "data.sca.check.directory", - "data.sca.check.file", - "data.sca.check.id", - "data.sca.check.previous_result", - "data.sca.check.process", - "data.sca.check.rationale", - "data.sca.check.reason", - "data.sca.check.references", - "data.sca.check.registry", - "data.sca.check.remediation", - "data.sca.check.result", - "data.sca.check.status", - "data.sca.check.title", - "data.sca.description", - "data.sca.file", - "data.sca.invalid", - "data.sca.name", - "data.sca.policy", - "data.sca.policy_id", - "data.sca.scan_id", - "data.sca.total_checks", - "data.script", - "data.src_ip", - "data.src_port", - "data.srcip", - "data.srcport", - "data.srcuser", - "data.status", - "data.system_name", - "data.title", - "data.tty", - "data.uid", - "data.url", - "data.virustotal.description", - "data.virustotal.error", - "data.virustotal.found", - "data.virustotal.permalink", - "data.virustotal.scan_date", - "data.virustotal.sha1", - "data.virustotal.source.alert_id", - "data.virustotal.source.file", - "data.virustotal.source.md5", - "data.virustotal.source.sha1", - "data.vulnerability.cve", - "data.vulnerability.cvss.cvss2.base_score", - "data.vulnerability.cvss.cvss2.exploitability_score", - "data.vulnerability.cvss.cvss2.impact_score", - "data.vulnerability.cvss.cvss2.vector.access_complexity", - "data.vulnerability.cvss.cvss2.vector.attack_vector", - "data.vulnerability.cvss.cvss2.vector.authentication", - "data.vulnerability.cvss.cvss2.vector.availability", - "data.vulnerability.cvss.cvss2.vector.confidentiality_impact", - "data.vulnerability.cvss.cvss2.vector.integrity_impact", - "data.vulnerability.cvss.cvss2.vector.privileges_required", - "data.vulnerability.cvss.cvss2.vector.scope", - "data.vulnerability.cvss.cvss2.vector.user_interaction", - "data.vulnerability.cvss.cvss3.base_score", - "data.vulnerability.cvss.cvss3.exploitability_score", - "data.vulnerability.cvss.cvss3.impact_score", - "data.vulnerability.cvss.cvss3.vector.access_complexity", - "data.vulnerability.cvss.cvss3.vector.attack_vector", - "data.vulnerability.cvss.cvss3.vector.authentication", - "data.vulnerability.cvss.cvss3.vector.availability", - "data.vulnerability.cvss.cvss3.vector.confidentiality_impact", - "data.vulnerability.cvss.cvss3.vector.integrity_impact", - "data.vulnerability.cvss.cvss3.vector.privileges_required", - "data.vulnerability.cvss.cvss3.vector.scope", - "data.vulnerability.cvss.cvss3.vector.user_interaction", - "data.vulnerability.cwe_reference", - "data.vulnerability.package.source", - "data.vulnerability.package.architecture", - "data.vulnerability.package.condition", - "data.vulnerability.package.generated_cpe", - "data.vulnerability.package.name", - "data.vulnerability.package.version", - "data.vulnerability.rationale", - "data.vulnerability.severity", - "data.vulnerability.title", - "data.vulnerability.assigner", - "data.vulnerability.cve_version", - "data.win.eventdata.auditPolicyChanges", - "data.win.eventdata.auditPolicyChangesId", - "data.win.eventdata.binary", - "data.win.eventdata.category", - "data.win.eventdata.categoryId", - "data.win.eventdata.data", - "data.win.eventdata.image", - "data.win.eventdata.ipAddress", - "data.win.eventdata.ipPort", - "data.win.eventdata.keyName", - "data.win.eventdata.logonGuid", - "data.win.eventdata.logonProcessName", - "data.win.eventdata.operation", - "data.win.eventdata.parentImage", - "data.win.eventdata.processId", - "data.win.eventdata.processName", - "data.win.eventdata.providerName", - "data.win.eventdata.returnCode", - "data.win.eventdata.service", - "data.win.eventdata.status", - "data.win.eventdata.subcategory", - "data.win.eventdata.subcategoryGuid", - "data.win.eventdata.subcategoryId", - "data.win.eventdata.subjectDomainName", - "data.win.eventdata.subjectLogonId", - "data.win.eventdata.subjectUserName", - "data.win.eventdata.subjectUserSid", - "data.win.eventdata.targetDomainName", - "data.win.eventdata.targetLinkedLogonId", - "data.win.eventdata.targetLogonId", - "data.win.eventdata.targetUserName", - "data.win.eventdata.targetUserSid", - "data.win.eventdata.workstationName", - "data.win.system.channel", - "data.win.system.computer", - "data.win.system.eventID", - "data.win.system.eventRecordID", - "data.win.system.eventSourceName", - "data.win.system.keywords", - "data.win.system.level", - "data.win.system.message", - "data.win.system.opcode", - "data.win.system.processID", - "data.win.system.providerGuid", - "data.win.system.providerName", - "data.win.system.securityUserID", - "data.win.system.severityValue", - "data.win.system.userID", - "decoder.ftscomment", - "decoder.name", - "decoder.parent", - "full_log", - "host", - "id", - "input", - "location", - "manager.name", - "message", - "offset", - "predecoder.hostname", - "predecoder.program_name", - "previous_log", - "previous_output", - "program_name", - "rule.cis", - "rule.cve", - "rule.description", - "rule.gdpr", - "rule.gpg13", - "rule.groups", - "rule.id", - "rule.info", - "rule.mitre.id", - "rule.mitre.tactic", - "rule.mitre.technique", - "rule.pci_dss", - "rule.hipaa", - "rule.nist_800_53", - "syscheck.audit.effective_user.id", - "syscheck.audit.effective_user.name", - "syscheck.audit.group.id", - "syscheck.audit.group.name", - "syscheck.audit.login_user.id", - "syscheck.audit.login_user.name", - "syscheck.audit.process.id", - "syscheck.audit.process.name", - "syscheck.audit.process.ppid", - "syscheck.audit.user.id", - "syscheck.audit.user.name", - "syscheck.diff", - "syscheck.event", - "syscheck.gid_after", - "syscheck.gid_before", - "syscheck.gname_after", - "syscheck.gname_before", - "syscheck.inode_after", - "syscheck.inode_before", - "syscheck.md5_after", - "syscheck.md5_before", - "syscheck.path", - "syscheck.mode", - "syscheck.perm_after", - "syscheck.perm_before", - "syscheck.sha1_after", - "syscheck.sha1_before", - "syscheck.sha256_after", - "syscheck.sha256_before", - "syscheck.tags", - "syscheck.uid_after", - "syscheck.uid_before", - "syscheck.uname_after", - "syscheck.uname_before", - "title", - "type" - ] - }, - "number_of_replicas": "0" - } - }, - "mappings": { - "dynamic_templates": [ - { - "string_as_keyword": { - "match_mapping_type": "string", - "mapping": { - "type": "keyword" - } - } - } - ], - "date_detection": false, - "properties": { - "@timestamp": { - "type": "date" - }, - "@version": { - "type": "text" - }, - "GeoLocation": { - "properties": { - "area_code": { - "type": "long" - }, - "city_name": { - "type": "keyword" - }, - "continent_code": { - "type": "text" - }, - "coordinates": { - "type": "double" - }, - "country_code2": { - "type": "text" - }, - "country_code3": { - "type": "text" - }, - "country_name": { - "type": "keyword" - }, - "dma_code": { - "type": "long" - }, - "ip": { - "type": "keyword" - }, - "latitude": { - "type": "double" - }, - "location": { - "type": "geo_point" - }, - "longitude": { - "type": "double" - }, - "postal_code": { - "type": "keyword" - }, - "real_region_name": { - "type": "keyword" - }, - "region_name": { - "type": "keyword" - }, - "timezone": { - "type": "text" - } - } - }, - "agent": { - "properties": { - "id": { - "type": "keyword" - }, - "ip": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "cluster": { - "properties": { - "name": { - "type": "keyword" - }, - "node": { - "type": "keyword" - } - } - }, - "command": { - "type": "keyword" - }, - "data": { - "properties": { - "action": { - "type": "keyword" - }, - "audit": { - "properties": { - "acct": { - "type": "keyword" - }, - "arch": { - "type": "keyword" - }, - "auid": { - "type": "keyword" - }, - "command": { - "type": "keyword" - }, - "cwd": { - "type": "keyword" - }, - "dev": { - "type": "keyword" - }, - "directory": { - "properties": { - "inode": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "egid": { - "type": "keyword" - }, - "enforcing": { - "type": "keyword" - }, - "euid": { - "type": "keyword" - }, - "exe": { - "type": "keyword" - }, - "execve": { - "properties": { - "a0": { - "type": "keyword" - }, - "a1": { - "type": "keyword" - }, - "a2": { - "type": "keyword" - }, - "a3": { - "type": "keyword" - } - } - }, - "exit": { - "type": "keyword" - }, - "file": { - "properties": { - "inode": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "fsgid": { - "type": "keyword" - }, - "fsuid": { - "type": "keyword" - }, - "gid": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "key": { - "type": "keyword" - }, - "list": { - "type": "keyword" - }, - "old-auid": { - "type": "keyword" - }, - "old-ses": { - "type": "keyword" - }, - "old_enforcing": { - "type": "keyword" - }, - "old_prom": { - "type": "keyword" - }, - "op": { - "type": "keyword" - }, - "pid": { - "type": "keyword" - }, - "ppid": { - "type": "keyword" - }, - "prom": { - "type": "keyword" - }, - "res": { - "type": "keyword" - }, - "session": { - "type": "keyword" - }, - "sgid": { - "type": "keyword" - }, - "srcip": { - "type": "keyword" - }, - "subj": { - "type": "keyword" - }, - "success": { - "type": "keyword" - }, - "suid": { - "type": "keyword" - }, - "syscall": { - "type": "keyword" - }, - "tty": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "uid": { - "type": "keyword" - } - } - }, - "aws": { - "properties": { - "accountId": { - "type": "keyword" - }, - "bytes": { - "type": "long" - }, - "createdAt": { - "type": "date" - }, - "dstaddr": { - "type": "ip" - }, - "end": { - "type": "date" - }, - "log_info": { - "properties": { - "s3bucket": { - "type": "keyword" - } - } - }, - "region": { - "type": "keyword" - }, - "resource": { - "properties": { - "instanceDetails": { - "properties": { - "launchTime": { - "type": "date" - }, - "networkInterfaces": { - "properties": { - "privateIpAddress": { - "type": "ip" - }, - "publicIp": { - "type": "ip" - } - } - } - } - } - } - }, - "service": { - "properties": { - "action": { - "properties": { - "networkConnectionAction": { - "properties": { - "remoteIpDetails": { - "properties": { - "geoLocation": { - "type": "geo_point" - }, - "ipAddressV4": { - "type": "ip" - } - } - } - } - } - } - }, - "count": { - "type": "long" - }, - "eventFirstSeen": { - "type": "date" - }, - "eventLastSeen": { - "type": "date" - } - } - }, - "source": { - "type": "keyword" - }, - "source_ip_address": { - "type": "ip" - }, - "srcaddr": { - "type": "ip" - }, - "start": { - "type": "date" - }, - "updatedAt": { - "type": "date" - } - } - }, - "cis": { - "properties": { - "benchmark": { - "type": "keyword" - }, - "error": { - "type": "long" - }, - "fail": { - "type": "long" - }, - "group": { - "type": "keyword" - }, - "notchecked": { - "type": "long" - }, - "pass": { - "type": "long" - }, - "result": { - "type": "keyword" - }, - "rule_title": { - "type": "keyword" - }, - "score": { - "type": "long" - }, - "timestamp": { - "type": "keyword" - }, - "unknown": { - "type": "long" - } - } - }, - "command": { - "type": "keyword" - }, - "data": { - "type": "keyword" - }, - "docker": { - "properties": { - "Action": { - "type": "keyword" - }, - "Actor": { - "properties": { - "Attributes": { - "properties": { - "image": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - } - } - }, - "Type": { - "type": "keyword" - } - } - }, - "dstip": { - "type": "keyword" - }, - "dstport": { - "type": "keyword" - }, - "dstuser": { - "type": "keyword" - }, - "extra_data": { - "type": "keyword" - }, - "gcp": { - "properties": { - "jsonPayload": { - "properties": { - "authAnswer": { - "type": "keyword" - }, - "queryName": { - "type": "keyword" - }, - "responseCode": { - "type": "keyword" - }, - "vmInstanceId": { - "type": "keyword" - }, - "vmInstanceName": { - "type": "keyword" - } - } - }, - "resource": { - "properties": { - "labels": { - "properties": { - "location": { - "type": "keyword" - }, - "project_id": { - "type": "keyword" - }, - "source_type": { - "type": "keyword" - } - } - }, - "type": { - "type": "keyword" - } - } - }, - "severity": { - "type": "keyword" - } - } - }, - "github": { - "properties": { - "action": { - "type": "keyword" - }, - "actor": { - "type": "keyword" - }, - "actor_location": { - "properties": { - "country_code": { - "type": "keyword" - } - } - }, - "org": { - "type": "keyword" - }, - "repo": { - "type": "keyword" - } - } - }, - "hardware": { - "properties": { - "cpu_cores": { - "type": "long" - }, - "cpu_mhz": { - "type": "double" - }, - "cpu_name": { - "type": "keyword" - }, - "ram_free": { - "type": "long" - }, - "ram_total": { - "type": "long" - }, - "ram_usage": { - "type": "long" - }, - "serial": { - "type": "keyword" - } - } - }, - "id": { - "type": "keyword" - }, - "integration": { - "type": "keyword" - }, - "netinfo": { - "properties": { - "iface": { - "properties": { - "adapter": { - "type": "keyword" - }, - "ipv4": { - "properties": { - "address": { - "type": "keyword" - }, - "broadcast": { - "type": "keyword" - }, - "dhcp": { - "type": "keyword" - }, - "gateway": { - "type": "keyword" - }, - "metric": { - "type": "long" - }, - "netmask": { - "type": "keyword" - } - } - }, - "ipv6": { - "properties": { - "address": { - "type": "keyword" - }, - "broadcast": { - "type": "keyword" - }, - "dhcp": { - "type": "keyword" - }, - "gateway": { - "type": "keyword" - }, - "metric": { - "type": "long" - }, - "netmask": { - "type": "keyword" - } - } - }, - "mac": { - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "type": "keyword" - }, - "rx_bytes": { - "type": "long" - }, - "rx_dropped": { - "type": "long" - }, - "rx_errors": { - "type": "long" - }, - "rx_packets": { - "type": "long" - }, - "state": { - "type": "keyword" - }, - "tx_bytes": { - "type": "long" - }, - "tx_dropped": { - "type": "long" - }, - "tx_errors": { - "type": "long" - }, - "tx_packets": { - "type": "long" - }, - "type": { - "type": "keyword" - } - } - } - } - }, - "office365": { - "properties": { - "Actor": { - "properties": { - "ID": { - "type": "keyword" - } - } - }, - "ClientIP": { - "type": "keyword" - }, - "Operation": { - "type": "keyword" - }, - "ResultStatus": { - "type": "keyword" - }, - "Subscription": { - "type": "keyword" - }, - "UserId": { - "type": "keyword" - } - } - }, - "os": { - "properties": { - "architecture": { - "type": "keyword" - }, - "build": { - "type": "keyword" - }, - "codename": { - "type": "keyword" - }, - "display_version": { - "type": "keyword" - }, - "hostname": { - "type": "keyword" - }, - "major": { - "type": "keyword" - }, - "minor": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "patch": { - "type": "keyword" - }, - "platform": { - "type": "keyword" - }, - "release": { - "type": "keyword" - }, - "release_version": { - "type": "keyword" - }, - "sysname": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "oscap": { - "properties": { - "check": { - "properties": { - "description": { - "type": "text" - }, - "id": { - "type": "keyword" - }, - "identifiers": { - "type": "text" - }, - "oval": { - "properties": { - "id": { - "type": "keyword" - } - } - }, - "rationale": { - "type": "text" - }, - "references": { - "type": "text" - }, - "result": { - "type": "keyword" - }, - "severity": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "scan": { - "properties": { - "benchmark": { - "properties": { - "id": { - "type": "keyword" - } - } - }, - "content": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "profile": { - "properties": { - "id": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "return_code": { - "type": "long" - }, - "score": { - "type": "double" - } - } - } - } - }, - "osquery": { - "properties": { - "action": { - "type": "keyword" - }, - "calendarTime": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "pack": { - "type": "keyword" - } - } - }, - "port": { - "properties": { - "inode": { - "type": "long" - }, - "local_ip": { - "type": "ip" - }, - "local_port": { - "type": "long" - }, - "pid": { - "type": "long" - }, - "process": { - "type": "keyword" - }, - "protocol": { - "type": "keyword" - }, - "remote_ip": { - "type": "ip" - }, - "remote_port": { - "type": "long" - }, - "rx_queue": { - "type": "long" - }, - "state": { - "type": "keyword" - }, - "tx_queue": { - "type": "long" - } - } - }, - "process": { - "properties": { - "args": { - "type": "keyword" - }, - "cmd": { - "type": "keyword" - }, - "egroup": { - "type": "keyword" - }, - "euser": { - "type": "keyword" - }, - "fgroup": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "nice": { - "type": "long" - }, - "nlwp": { - "type": "long" - }, - "pgrp": { - "type": "long" - }, - "pid": { - "type": "long" - }, - "ppid": { - "type": "long" - }, - "priority": { - "type": "long" - }, - "processor": { - "type": "long" - }, - "resident": { - "type": "long" - }, - "rgroup": { - "type": "keyword" - }, - "ruser": { - "type": "keyword" - }, - "session": { - "type": "long" - }, - "sgroup": { - "type": "keyword" - }, - "share": { - "type": "long" - }, - "size": { - "type": "long" - }, - "start_time": { - "type": "long" - }, - "state": { - "type": "keyword" - }, - "stime": { - "type": "long" - }, - "suser": { - "type": "keyword" - }, - "tgid": { - "type": "long" - }, - "tty": { - "type": "long" - }, - "utime": { - "type": "long" - }, - "vm_size": { - "type": "long" - } - } - }, - "program": { - "properties": { - "architecture": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "format": { - "type": "keyword" - }, - "install_time": { - "type": "keyword" - }, - "location": { - "type": "keyword" - }, - "multiarch": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "priority": { - "type": "keyword" - }, - "section": { - "type": "keyword" - }, - "size": { - "type": "long" - }, - "source": { - "type": "keyword" - }, - "vendor": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "protocol": { - "type": "keyword" - }, - "sca": { - "properties": { - "check": { - "properties": { - "compliance": { - "properties": { - "cis": { - "type": "keyword" - }, - "cis_csc": { - "type": "keyword" - }, - "hipaa": { - "type": "keyword" - }, - "nist_800_53": { - "type": "keyword" - }, - "pci_dss": { - "type": "keyword" - } - } - }, - "description": { - "type": "keyword" - }, - "directory": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "previous_result": { - "type": "keyword" - }, - "process": { - "type": "keyword" - }, - "rationale": { - "type": "keyword" - }, - "reason": { - "type": "keyword" - }, - "references": { - "type": "keyword" - }, - "registry": { - "type": "keyword" - }, - "remediation": { - "type": "keyword" - }, - "result": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "description": { - "type": "keyword" - }, - "failed": { - "type": "integer" - }, - "file": { - "type": "keyword" - }, - "invalid": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "passed": { - "type": "integer" - }, - "policy": { - "type": "keyword" - }, - "policy_id": { - "type": "keyword" - }, - "scan_id": { - "type": "keyword" - }, - "score": { - "type": "long" - }, - "total_checks": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - } - }, - "srcip": { - "type": "keyword" - }, - "srcport": { - "type": "keyword" - }, - "srcuser": { - "type": "keyword" - }, - "status": { - "type": "keyword" - }, - "system_name": { - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "title": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "uid": { - "type": "keyword" - }, - "url": { - "type": "keyword" - }, - "virustotal": { - "properties": { - "description": { - "type": "keyword" - }, - "error": { - "type": "keyword" - }, - "found": { - "type": "keyword" - }, - "malicious": { - "type": "keyword" - }, - "permalink": { - "type": "keyword" - }, - "positives": { - "type": "keyword" - }, - "scan_date": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - }, - "source": { - "properties": { - "alert_id": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "md5": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - } - } - }, - "total": { - "type": "keyword" - } - } - }, - "vulnerability": { - "properties": { - "assigner": { - "type": "keyword" - }, - "cve": { - "type": "keyword" - }, - "cve_version": { - "type": "keyword" - }, - "cvss": { - "properties": { - "cvss2": { - "properties": { - "base_score": { - "type": "keyword" - }, - "exploitability_score": { - "type": "keyword" - }, - "impact_score": { - "type": "keyword" - }, - "vector": { - "properties": { - "access_complexity": { - "type": "keyword" - }, - "attack_vector": { - "type": "keyword" - }, - "authentication": { - "type": "keyword" - }, - "availability": { - "type": "keyword" - }, - "confidentiality_impact": { - "type": "keyword" - }, - "integrity_impact": { - "type": "keyword" - }, - "privileges_required": { - "type": "keyword" - }, - "scope": { - "type": "keyword" - }, - "user_interaction": { - "type": "keyword" - } - } - } - } - }, - "cvss3": { - "properties": { - "base_score": { - "type": "keyword" - }, - "exploitability_score": { - "type": "keyword" - }, - "impact_score": { - "type": "keyword" - }, - "vector": { - "properties": { - "access_complexity": { - "type": "keyword" - }, - "attack_vector": { - "type": "keyword" - }, - "authentication": { - "type": "keyword" - }, - "availability": { - "type": "keyword" - }, - "confidentiality_impact": { - "type": "keyword" - }, - "integrity_impact": { - "type": "keyword" - }, - "privileges_required": { - "type": "keyword" - }, - "scope": { - "type": "keyword" - }, - "user_interaction": { - "type": "keyword" - } - } - } - } - } - } - }, - "cwe_reference": { - "type": "keyword" - }, - "package": { - "properties": { - "architecture": { - "type": "keyword" - }, - "condition": { - "type": "keyword" - }, - "generated_cpe": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "source": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "published": { - "type": "date" - }, - "rationale": { - "type": "keyword" - }, - "severity": { - "type": "keyword" - }, - "title": { - "type": "keyword" - }, - "updated": { - "type": "date" - } - } - } - } - }, - "decoder": { - "properties": { - "accumulate": { - "type": "long" - }, - "fts": { - "type": "long" - }, - "ftscomment": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "parent": { - "type": "keyword" - } - } - }, - "full_log": { - "type": "text" - }, - "host": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "input": { - "properties": { - "type": { - "type": "keyword" - } - } - }, - "location": { - "type": "keyword" - }, - "manager": { - "properties": { - "name": { - "type": "keyword" - } - } - }, - "message": { - "type": "text" - }, - "offset": { - "type": "keyword" - }, - "predecoder": { - "properties": { - "hostname": { - "type": "keyword" - }, - "program_name": { - "type": "keyword" - }, - "timestamp": { - "type": "keyword" - } - } - }, - "previous_log": { - "type": "text" - }, - "previous_output": { - "type": "keyword" - }, - "program_name": { - "type": "keyword" - }, - "rule": { - "properties": { - "cis": { - "type": "keyword" - }, - "cve": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "firedtimes": { - "type": "long" - }, - "frequency": { - "type": "long" - }, - "gdpr": { - "type": "keyword" - }, - "gpg13": { - "type": "keyword" - }, - "groups": { - "type": "keyword" - }, - "hipaa": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "info": { - "type": "keyword" - }, - "level": { - "type": "long" - }, - "mail": { - "type": "boolean" - }, - "mitre": { - "properties": { - "id": { - "type": "keyword" - }, - "tactic": { - "type": "keyword" - }, - "technique": { - "type": "keyword" - } - } - }, - "nist_800_53": { - "type": "keyword" - }, - "pci_dss": { - "type": "keyword" - }, - "tsc": { - "type": "keyword" - } - } - }, - "syscheck": { - "properties": { - "audit": { - "properties": { - "effective_user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "group": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "login_user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "process": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "ppid": { - "type": "keyword" - } - } - }, - "user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - } - } - }, - "diff": { - "type": "keyword" - }, - "event": { - "type": "keyword" - }, - "gid_after": { - "type": "keyword" - }, - "gid_before": { - "type": "keyword" - }, - "gname_after": { - "type": "keyword" - }, - "gname_before": { - "type": "keyword" - }, - "hard_links": { - "type": "keyword" - }, - "inode_after": { - "type": "keyword" - }, - "inode_before": { - "type": "keyword" - }, - "md5_after": { - "type": "keyword" - }, - "md5_before": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "mtime_after": { - "type": "date", - "format": "date_optional_time" - }, - "mtime_before": { - "type": "date", - "format": "date_optional_time" - }, - "path": { - "type": "keyword" - }, - "perm_after": { - "type": "keyword" - }, - "perm_before": { - "type": "keyword" - }, - "sha1_after": { - "type": "keyword" - }, - "sha1_before": { - "type": "keyword" - }, - "sha256_after": { - "type": "keyword" - }, - "sha256_before": { - "type": "keyword" - }, - "size_after": { - "type": "long" - }, - "size_before": { - "type": "long" - }, - "tags": { - "type": "keyword" - }, - "uid_after": { - "type": "keyword" - }, - "uid_before": { - "type": "keyword" - }, - "uname_after": { - "type": "keyword" - }, - "uname_before": { - "type": "keyword" - } - } - }, - "timestamp": { - "type": "date", - "format": "date_optional_time||epoch_millis" - }, - "title": { - "type": "keyword" - }, - "type": { - "type": "text" - } - } - }, - "aliases": {} - }, - "version": 1 -} diff --git a/integrations/opensearch/opensearch.yml b/integrations/opensearch/opensearch.yml deleted file mode 100644 index 442c0b707f2ec..0000000000000 --- a/integrations/opensearch/opensearch.yml +++ /dev/null @@ -1,39 +0,0 @@ -network.host: "0.0.0.0" -node.name: "opensearch" -compatibility.override_main_response_version: true -plugins.security.ssl.http.pemcert_filepath: /usr/share/opensearch/config/certs/opensearch.pem -plugins.security.ssl.http.pemkey_filepath: /usr/share/opensearch/config/certs/opensearch.key -plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/opensearch/config/certs/root-ca.pem -plugins.security.ssl.transport.pemcert_filepath: /usr/share/opensearch/config/certs/opensearch.pem -plugins.security.ssl.transport.pemkey_filepath: /usr/share/opensearch/config/certs/opensearch.key -plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/opensearch/config/certs/root-ca.pem -plugins.security.ssl.http.enabled: true -plugins.security.ssl.transport.enforce_hostname_verification: false -plugins.security.ssl.transport.resolve_hostname: false -plugins.security.authcz.admin_dn: - - "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" -plugins.security.check_snapshot_restore_write_privileges: true -plugins.security.enable_snapshot_restore_privilege: true -plugins.security.nodes_dn: - - "CN=opensearch.node,OU=Wazuh,O=Wazuh,L=California,C=US" -plugins.security.restapi.roles_enabled: - - "all_access" - - "security_rest_api_access" -plugins.security.system_indices.enabled: true -plugins.security.system_indices.indices: - [ - ".opendistro-alerting-config", - ".opendistro-alerting-alert*", - ".opendistro-anomaly-results*", - ".opendistro-anomaly-detector*", - ".opendistro-anomaly-checkpoints", - ".opendistro-anomaly-detection-state", - ".opendistro-reports-*", - ".opendistro-notifications-*", - ".opendistro-notebooks", - ".opensearch-observability", - ".opendistro-asynchronous-search-response*", - ".replication-metadata-store", - ] -plugins.security.allow_default_init_securityindex: true -cluster.routing.allocation.disk.threshold_enabled: false diff --git a/integrations/opensearch/opensearch_dashboards.yml b/integrations/opensearch/opensearch_dashboards.yml deleted file mode 100644 index 316ebabcf1179..0000000000000 --- a/integrations/opensearch/opensearch_dashboards.yml +++ /dev/null @@ -1,21 +0,0 @@ -server.host: 0.0.0.0 -server.port: 5601 -opensearch.hosts: https://opensearch.node:9200 -opensearch.ssl.verificationMode: certificate -#osd 1.2.4 -# opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"] -# -# osd 2.0 -opensearch.requestHeadersAllowlist: ["securitytenant", "Authorization"] -# -opensearch_security.multitenancy.enabled: false -opensearch_security.readonly_mode.roles: ["kibana_read_only"] -server.ssl.enabled: true -server.ssl.key: "/usr/share/opensearch-dashboards/config/certs/opensearch.key" -server.ssl.certificate: "/usr/share/opensearch-dashboards/config/certs/opensearch.pem" -opensearch.ssl.certificateAuthorities: - ["/usr/share/opensearch-dashboards/config/certs/root-ca.pem"] -opensearch.username: "kibanaserver" -opensearch.password: "kibanaserver" -opensearchDashboards.branding: - useExpandedHeader: false diff --git a/integrations/splunk/README.md b/integrations/splunk/README.md deleted file mode 100644 index d4182f71b067b..0000000000000 --- a/integrations/splunk/README.md +++ /dev/null @@ -1,47 +0,0 @@ -# Wazuh to Splunk Integration Developer Guide - -This document describes how to prepare a Docker Compose environment to test the integration between Wazuh and Splunk. For a detailed guide on how to integrate Wazuh with Splunk, please refer to the [Wazuh documentation](https://documentation.wazuh.com/current/integrations-guide/splunk/index.html). - -## Requirements - -- Docker and Docker Compose installed. - -## Usage - -1. Clone the Wazuh repository and navigate to the `integrations/` folder. -2. Run the following command to start the environment: - ```bash - docker compose -f ./docker/compose.indexer-splunk.yml up -d - ``` - -The Docker Compose project will bring up the following services: - -- 1x Events Generator (learn more in [wazuh-indexer/integrations/tools/events-generator](../tools/events-generator/README.md)). -- 1x Wazuh Indexer (OpenSearch). -- 1x Logstash -- 1x Splunk - -For custom configurations, you may need to modify these files: - -- [docker/compose.indexer-splunk.yml](../docker/compose.indexer-splunk.yml): Docker Compose file. -- [docker/.env](../docker/.env): Environment variables file. -- [splunk/logstash/pipeline/indexer-to-splunk.conf](./logstash/pipeline/indexer-to-splunk.conf): Logstash Pipeline configuration file. - -Check the files above for **credentials**, ports, and other configurations. - -| Service | Address | Credentials | -| ------------- | ---------------------- | ------------------- | -| Wazuh Indexer | https://localhost:9200 | admin:admin | -| Splunk | https://localhost:8000 | admin:Password.1234 | - -## Importing the dashboards - -The dashboards for Splunk are included in this folder. The steps to import them to Splunk are the following: - -- In the Splunk UI, go to `Settings` > `Data Inputs` > `HTTP Event Collector` and make sure that the `hec` token is enabled and uses the `wazuh-alerts` index. -- Open a dashboard file and copy all its content. -- In the Splunk UI, navigate to `Search & Reporting`, `Dashboards`, click `Create New Dashboard`, write the title and select `Dashboard Studio`, select `Grid` and click on `Create`. -- On the top menu, there is a `Source` icon. Click on it, and replace all the content with the contents from one of the dashboard files under `integrations/splunk`. After that, click on `Back` and click on `Save`. -- Repeat the steps for all the desired dashboards. - -Imported dashboards will appear under `Search & Reporting` > `Dashboards`. diff --git a/integrations/splunk/cfssl/ca.json b/integrations/splunk/cfssl/ca.json deleted file mode 100644 index 8a96a70a42c42..0000000000000 --- a/integrations/splunk/cfssl/ca.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "CN": "Wazuh", - "key": { - "algo": "rsa", - "size": 2048 - }, - "names": [ - { - "C": "US", - "L": "San Francisco", - "O": "Wazuh", - "OU": "Wazuh Root CA" - } - ] -} diff --git a/integrations/splunk/cfssl/cfssl.json b/integrations/splunk/cfssl/cfssl.json deleted file mode 100644 index d23daf762100e..0000000000000 --- a/integrations/splunk/cfssl/cfssl.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "signing": { - "default": { - "expiry": "8760h" - }, - "profiles": { - "intermediate_ca": { - "usages": [ - "signing", - "digital signature", - "key encipherment", - "cert sign", - "crl sign", - "server auth", - "client auth" - ], - "expiry": "8760h", - "ca_constraint": { - "is_ca": true, - "max_path_len": 0, - "max_path_len_zero": true - } - }, - "peer": { - "usages": [ - "signing", - "digital signature", - "key encipherment", - "data encipherment", - "client auth", - "server auth" - ], - "expiry": "8760h" - }, - "server": { - "usages": [ - "signing", - "digital signing", - "key encipherment", - "data encipherment", - "server auth" - ], - "expiry": "8760h" - }, - "client": { - "usages": [ - "signing", - "digital signature", - "key encipherment", - "data encipherment", - "client auth" - ], - "expiry": "8760h" - } - } - } -} - diff --git a/integrations/splunk/cfssl/host.json b/integrations/splunk/cfssl/host.json deleted file mode 100644 index e1d3cd064b842..0000000000000 --- a/integrations/splunk/cfssl/host.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "CN": "splunk", - "key": { - "algo": "rsa", - "size": 2048 - }, - "names": [ - { - "C": "US", - "L": "California", - "O": "Wazuh", - "OU": "Wazuh" - } - ], - "hosts": [ - "splunk", - "localhost" - ] -} diff --git a/integrations/splunk/config/default.yml b/integrations/splunk/config/default.yml deleted file mode 100644 index e9e0637d69a60..0000000000000 --- a/integrations/splunk/config/default.yml +++ /dev/null @@ -1,25 +0,0 @@ -splunk: - conf: - - key: web - value: - directory: /opt/splunk/etc/system/local - content: - settings: - enablesSplunkWebSSL: true - privKeyPath: /opt/splunk/etc/auth/custom/splunk.key - serverCert: /opt/splunk/etc/auth/custom/splunk.pem - - key: server - value: - directory: /opt/splunk/etc/system/local - content: - general: - serverName: splunk - pass4SymmKey: dadqaBZA2fzxHOvfdlSQpKjIooupehTnmjysUx7j+bP1/NucBL+rch/Kw== - sslConfig: - serverCert: /opt/splunk/etc/auth/custom/splunkhec.pem - hec: - enable: True - ssl: True - port: 8088 - # hec.token is used only for ingestion (receiving Splunk events) - token: abcd1234 diff --git a/integrations/splunk/config/indexes.conf b/integrations/splunk/config/indexes.conf deleted file mode 100644 index 81fe23e9e9515..0000000000000 --- a/integrations/splunk/config/indexes.conf +++ /dev/null @@ -1,11 +0,0 @@ -[default] -[wazuh-alerts] -coldPath = $SPLUNK_DB/wazuh/colddb -enableDataIntegrityControl = 1 -enableTsidxReduction = 1 -homePath = $SPLUNK_DB/wazuh/db -maxTotalDataSizeMB = 512000 -thawedPath = $SPLUNK_DB/wazuh/thaweddb -timePeriodInSecBeforeTsidxReduction = 15552000 -tsidxReductionCheckPeriodInSec = - diff --git a/integrations/splunk/logstash/pipeline/indexer-to-splunk.conf b/integrations/splunk/logstash/pipeline/indexer-to-splunk.conf deleted file mode 100644 index fe6042f4c4e0c..0000000000000 --- a/integrations/splunk/logstash/pipeline/indexer-to-splunk.conf +++ /dev/null @@ -1,31 +0,0 @@ -input { - opensearch { - hosts => ["wazuh.indexer:9200"] - user => "${INDEXER_USERNAME}" - password => "${INDEXER_PASSWORD}" - ssl => true - ca_file => "/usr/share/logstash/root-ca.pem" - index => "wazuh-alerts-4.x-*" - query => '{ - "query": { - "range": { - "@timestamp": { - "gt": "now-1m" - } - } - } - }' - schedule => "* * * * *" - } -} - - -output { - http { - format => "json" - http_method => "post" - url => "https://splunk:8088/services/collector/raw" - headers => ["Authorization", "Splunk abcd1234"] - cacert => "/usr/share/logstash/root-ca.pem" - } -} diff --git a/integrations/splunk/logstash/setup.sh b/integrations/splunk/logstash/setup.sh deleted file mode 100644 index 4852d27efd5e1..0000000000000 --- a/integrations/splunk/logstash/setup.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/bash - -# This script creates and configures a keystore for Logstash to store -# indexer's credentials. NOTE: works only for dockerized logstash. -# Source: https://www.elastic.co/guide/en/logstash/current/keystore.html - -# Create keystore -/usr/share/logstash/bin/logstash-keystore create -echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_USERNAME -echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_PASSWORD diff --git a/integrations/splunk/wazuh-amazon-aws b/integrations/splunk/wazuh-amazon-aws deleted file mode 100644 index c2d4db71d0bce..0000000000000 --- a/integrations/splunk/wazuh-amazon-aws +++ /dev/null @@ -1,132 +0,0 @@ -{ - "visualizations": { - "viz_lTJLU7ar": { - "type": "splunk.area", - "options": { - "stackMode": "stacked", - "xAxisTitleText": "timestamp", - "yAxisTitleText": "count", - "legendDisplay": "left" - }, - "dataSources": { - "primary": "ds_BHh1kZmb" - }, - "title": "Events by source over time" - }, - "viz_l5qazB46": { - "type": "splunk.pie", - "options": { - "showDonutHole": true - }, - "dataSources": { - "primary": "ds_Y2J0psR4" - }, - "title": "Sources" - }, - "viz_1JzeNwnq": { - "type": "splunk.table", - "title": "Events", - "dataSources": { - "primary": "ds_K2y81pak" - } - } - }, - "dataSources": { - "ds_BHh1kZmb": { - "type": "ds.search", - "options": { - "queryParameters": { - "earliest": "$global_time.earliest$", - "latest": "$global_time.latest$" - }, - "query": "index=\"wazuh-alerts\" \"data.aws.source\"=\"*\" | timechart count by \"data.aws.source\"" - }, - "name": "Search_1" - }, - "ds_Y2J0psR4": { - "type": "ds.search", - "options": { - "queryParameters": { - "earliest": "$global_time.earliest$", - "latest": "$global_time.latest$" - }, - "query": "index=\"wazuh-alerts\" \"data.aws.source\"=\"*\" | chart count by \"data.aws.source\"" - }, - "name": "Search_2" - }, - "ds_K2y81pak": { - "type": "ds.search", - "options": { - "queryParameters": { - "earliest": "$global_time.earliest$", - "latest": "$global_time.latest$" - }, - "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"data.aws.source\"=\"*\", \"rule.description\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, data.aws.source, rule.description, rule.level, rule.id" - }, - "name": "Search_3" - } - }, - "defaults": { - "dataSources": { - "ds.search": { - "options": { - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - } - } - } - }, - "inputs": { - "input_global_trp": { - "type": "input.timerange", - "options": { - "token": "global_time", - "defaultValue": "-60m@m,now" - }, - "title": "Global Time Range" - } - }, - "layout": { - "type": "grid", - "options": {}, - "structure": [ - { - "item": "viz_lTJLU7ar", - "type": "block", - "position": { - "x": 0, - "y": 0, - "w": 795, - "h": 334 - } - }, - { - "item": "viz_1JzeNwnq", - "type": "block", - "position": { - "x": 0, - "y": 334, - "w": 1200, - "h": 358 - } - }, - { - "item": "viz_l5qazB46", - "type": "block", - "position": { - "x": 795, - "y": 0, - "w": 405, - "h": 334 - } - } - ], - "globalInputs": [ - "input_global_trp" - ] - }, - "description": "", - "title": "wazuh-amazon-aws-v1.0" -} diff --git a/integrations/splunk/wazuh-docker-listener b/integrations/splunk/wazuh-docker-listener deleted file mode 100644 index 756d9145b8875..0000000000000 --- a/integrations/splunk/wazuh-docker-listener +++ /dev/null @@ -1,130 +0,0 @@ -{ - "visualizations": { - "viz_OcJb59wC": { - "type": "splunk.pie", - "options": { - "showDonutHole": true - }, - "dataSources": { - "primary": "ds_5TEzCbIf" - }, - "title": "Top 5 events" - }, - "viz_bQPbbrvw": { - "type": "splunk.column", - "title": "Events by source over time", - "dataSources": { - "primary": "ds_l6nQN96B" - }, - "options": { - "xAxisTitleText": "timestamp", - "yAxisTitleText": "count" - } - }, - "viz_7GGKwL33": { - "type": "splunk.table", - "dataSources": { - "primary": "ds_gW45zmr5" - }, - "title": "Events" - } - }, - "dataSources": { - "ds_5TEzCbIf": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" | top limit=5 data.docker.Action | chart count by data.docker.Action", - "queryParameters": { - "earliest": "$global_time.earliest$", - "latest": "$global_time.latest$" - } - }, - "name": "Search_1" - }, - "ds_l6nQN96B": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" | timechart count by data.docker.Type useother=false usenull=false\n", - "queryParameters": { - "earliest": "$global_time.earliest$", - "latest": "$global_time.latest$" - } - }, - "name": "Search_2" - }, - "ds_gW45zmr5": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"data.docker.Type\"=\"*\", \"data.docker.Actor.ID\"=\"*\", \"data.docker.Action\"=\"*\", \"rule.description\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, data.docker.Type, data.docker.Actor.ID, data.docker.Action, rule.description, rule.level, rule.id", - "queryParameters": { - "earliest": "$global_time.earliest$", - "latest": "$global_time.latest$" - } - }, - "name": "Search_3" - } - }, - "defaults": { - "dataSources": { - "ds.search": { - "options": { - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - } - } - } - }, - "inputs": { - "input_global_trp": { - "type": "input.timerange", - "options": { - "token": "global_time", - "defaultValue": "-24h@h,now" - }, - "title": "Global Time Range" - } - }, - "layout": { - "type": "grid", - "options": {}, - "structure": [ - { - "item": "viz_OcJb59wC", - "type": "block", - "position": { - "x": 0, - "y": 0, - "w": 415, - "h": 316 - } - }, - { - "item": "viz_7GGKwL33", - "type": "block", - "position": { - "x": 0, - "y": 316, - "w": 1200, - "h": 378 - } - }, - { - "item": "viz_bQPbbrvw", - "type": "block", - "position": { - "x": 415, - "y": 0, - "w": 785, - "h": 316 - } - } - ], - "globalInputs": [ - "input_global_trp" - ] - }, - "description": "", - "title": "wazuh-docker-listener-v1.0" -} diff --git a/integrations/splunk/wazuh-incident-response b/integrations/splunk/wazuh-incident-response deleted file mode 100644 index 247cec3303b01..0000000000000 --- a/integrations/splunk/wazuh-incident-response +++ /dev/null @@ -1,131 +0,0 @@ -{ - "visualizations": { - "viz_bRMOrrNo": { - "type": "splunk.pie", - "options": { - "showDonutHole": true - }, - "dataSources": { - "primary": "ds_T5OG9qjO" - }, - "title": "Alert groups" - }, - "viz_iOvmhhgU": { - "type": "splunk.table", - "options": {}, - "dataSources": { - "primary": "ds_tnYl87gQ" - } - }, - "viz_P0bNNVfw": { - "type": "splunk.column", - "options": { - "stackMode": "stacked", - "xAxisTitleText": "timestamp", - "yAxisTitleText": "count" - }, - "dataSources": { - "primary": "ds_GccX6Lrj" - }, - "title": "Events" - } - }, - "dataSources": { - "ds_T5OG9qjO": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=\"*\" | top limit=5 \"rule.groups{}\" | chart count by \"rule.groups{}\" useother=false usenull=false", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_1" - }, - "ds_tnYl87gQ": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"rule.groups{}\"=\"*\", \"rule.description\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, rule.groups{}, rule.description, rule.level, rule.id", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_2" - }, - "ds_GccX6Lrj": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=\"audit\" | timechart count by \"rule.groups{}\"", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_3" - } - }, - "defaults": { - "dataSources": { - "ds.search": { - "options": { - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - } - } - } - }, - "inputs": { - "input_global_trp": { - "type": "input.timerange", - "options": { - "token": "global_time", - "defaultValue": "-60m@m,now" - }, - "title": "Global Time Range" - } - }, - "layout": { - "type": "grid", - "options": {}, - "structure": [ - { - "item": "viz_bRMOrrNo", - "type": "block", - "position": { - "x": 0, - "y": 0, - "w": 388, - "h": 292 - } - }, - { - "item": "viz_iOvmhhgU", - "type": "block", - "position": { - "x": 0, - "y": 292, - "w": 1200, - "h": 399 - } - }, - { - "item": "viz_P0bNNVfw", - "type": "block", - "position": { - "x": 388, - "y": 0, - "w": 812, - "h": 292 - } - } - ], - "globalInputs": [ - "input_global_trp" - ] - }, - "description": "", - "title": "wazuh-incident-response-v1.0" -} diff --git a/integrations/splunk/wazuh-malware-detection b/integrations/splunk/wazuh-malware-detection deleted file mode 100644 index 70c825efabb01..0000000000000 --- a/integrations/splunk/wazuh-malware-detection +++ /dev/null @@ -1,132 +0,0 @@ -{ - "visualizations": { - "viz_Q5GQT6h2": { - "type": "splunk.area", - "dataSources": { - "primary": "ds_N3cdEic4" - }, - "options": { - "stackMode": "stacked", - "xAxisTitleText": "timestamp", - "yAxisTitleText": "count" - }, - "title": "Emotet malware activity" - }, - "viz_U8vFKyUp": { - "type": "splunk.table", - "dataSources": { - "primary": "ds_f5AJxLS5" - }, - "title": "Security alerts" - }, - "viz_uLQLGVbg": { - "type": "splunk.line", - "options": { - "xAxisTitleText": "timestamp", - "yAxisTitleText": "count" - }, - "dataSources": { - "primary": "ds_IcWLWjPn" - }, - "title": "Rootkits activity over time" - } - }, - "dataSources": { - "ds_N3cdEic4": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=\"rootcheck\" | timechart count by \"rule.groups{}\"", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_1" - }, - "ds_f5AJxLS5": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"rule.mitre.technique{}\"=\"*\", \"rule.mitre.tactic{}\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\", \"rule.description\"=\"*\" | table _time, agent.name, rule.mitre.technique{}, rule.mitre.tactic{}, rule.level, rule.id, rule.description\n", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_2" - }, - "ds_IcWLWjPn": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" | timechart count by data.title useother=false usenull=false\n", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_3" - } - }, - "defaults": { - "dataSources": { - "ds.search": { - "options": { - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - } - } - } - }, - "inputs": { - "input_global_trp": { - "type": "input.timerange", - "options": { - "token": "global_time", - "defaultValue": "-60m@m,now" - }, - "title": "Global Time Range" - } - }, - "layout": { - "type": "grid", - "options": {}, - "structure": [ - { - "item": "viz_Q5GQT6h2", - "type": "block", - "position": { - "x": 0, - "y": 0, - "w": 458, - "h": 293 - } - }, - { - "item": "viz_U8vFKyUp", - "type": "block", - "position": { - "x": 0, - "y": 293, - "w": 1200, - "h": 381 - } - }, - { - "item": "viz_uLQLGVbg", - "type": "block", - "position": { - "x": 458, - "y": 0, - "w": 742, - "h": 293 - } - } - ], - "globalInputs": [ - "input_global_trp" - ] - }, - "description": "", - "title": "wazuh-malware-detection-v1.0" -} diff --git a/integrations/splunk/wazuh-pci-dss b/integrations/splunk/wazuh-pci-dss deleted file mode 100644 index 84748831a9790..0000000000000 --- a/integrations/splunk/wazuh-pci-dss +++ /dev/null @@ -1,132 +0,0 @@ -{ - "visualizations": { - "viz_9NIbkgTo": { - "type": "splunk.bubble", - "options": { - "xAxisTitleText": "timestamp", - "yAxisTitleText": "count" - }, - "dataSources": { - "primary": "ds_g3vSgFS7" - }, - "title": "PCI DSS requirements" - }, - "viz_Z6CAbCjJ": { - "type": "splunk.column", - "options": { - "stackMode": "stacked", - "yAxisTitleText": "count", - "xAxisTitleText": "requirements" - }, - "dataSources": { - "primary": "ds_lljKZIBi" - }, - "title": "Requirements by agent" - }, - "viz_AtTGNj0f": { - "type": "splunk.table", - "dataSources": { - "primary": "ds_9ABDZ4aq" - }, - "title": "Recent events" - } - }, - "dataSources": { - "ds_g3vSgFS7": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"rule.pci_dss{}\"=\"*\" | timechart count by \"rule.pci_dss{}\"\n", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_1" - }, - "ds_lljKZIBi": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\" | chart count by \"rule.pci_dss{}\", \"agent.name\"", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_2" - }, - "ds_9ABDZ4aq": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"rule.pci_dss{}\"=\"*\", \"rule.description\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, rule.pci_dss{}, rule.description, rule.level, rule.id", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_3" - } - }, - "defaults": { - "dataSources": { - "ds.search": { - "options": { - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - } - } - } - }, - "inputs": { - "input_global_trp": { - "type": "input.timerange", - "options": { - "token": "global_time", - "defaultValue": "-60m@m,now" - }, - "title": "Global Time Range" - } - }, - "layout": { - "type": "grid", - "options": {}, - "structure": [ - { - "item": "viz_9NIbkgTo", - "type": "block", - "position": { - "x": 0, - "y": 0, - "w": 629, - "h": 400 - } - }, - { - "item": "viz_AtTGNj0f", - "type": "block", - "position": { - "x": 0, - "y": 400, - "w": 1200, - "h": 291 - } - }, - { - "item": "viz_Z6CAbCjJ", - "type": "block", - "position": { - "x": 629, - "y": 0, - "w": 571, - "h": 400 - } - } - ], - "globalInputs": [ - "input_global_trp" - ] - }, - "description": "", - "title": "wazuh-pci-dss-v1.0" -} diff --git a/integrations/splunk/wazuh-security-events b/integrations/splunk/wazuh-security-events deleted file mode 100644 index c64fa191bed88..0000000000000 --- a/integrations/splunk/wazuh-security-events +++ /dev/null @@ -1,292 +0,0 @@ -{ - "visualizations": { - "viz_oAPKLE0R": { - "type": "splunk.column", - "options": { - "xAxisTitleText": "timestamp", - "yAxisTitleText": "Count", - "stackMode": "stacked" - }, - "dataSources": { - "primary": "ds_TdanKF0I" - }, - "showProgressBar": false, - "showLastUpdated": false, - "title": "Alerts evolution - Top 5 agents", - "description": "" - }, - "viz_Y07WmZ1b": { - "type": "splunk.table", - "dataSources": { - "primary": "ds_ut2DiVW9" - }, - "title": "Security alerts", - "description": "" - }, - "viz_DI7fpctI": { - "type": "splunk.pie", - "dataSources": { - "primary": "ds_EmDJmxMO" - }, - "showProgressBar": false, - "showLastUpdated": false, - "title": "Top Mitre ATT&K tactics" - }, - "viz_qYCIuSjF": { - "type": "splunk.singlevalueradial", - "options": { - "majorColor": "#0258a1", - "trendColor": "#000000" - }, - "dataSources": { - "primary": "ds_d9cN1Qn9" - }, - "title": "Total" - }, - "viz_aTlMnG7A": { - "type": "splunk.singlevalueradial", - "options": { - "majorColor": "#db566f" - }, - "dataSources": { - "primary": "ds_ZPT4uVoe" - }, - "title": "Level 12 or above alerts" - }, - "viz_R8LMR6U6": { - "type": "splunk.singlevalueradial", - "options": { - "majorColor": "#bf0561" - }, - "dataSources": { - "primary": "ds_d8m0U7Ph" - }, - "title": "Authentication failure" - }, - "viz_nDMI4ZGW": { - "type": "splunk.singlevalueradial", - "options": { - "majorColor": "#007d73" - }, - "dataSources": { - "primary": "ds_7FDRhb5m" - }, - "title": "Authentication success" - } - }, - "dataSources": { - "ds_TdanKF0I": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" | timechart count by agent.name\n\n", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_1" - }, - "ds_ut2DiVW9": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"rule.mitre.id{}\"=\"*\" | table _time, agent.name, rule.mitre.id{}, rule.mitre.tactic{}, rule.description, rule.level, rule.id\n", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_2" - }, - "ds_EmDJmxMO": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" | top limit=5 agent.name | chart count by agent.name\n", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_3" - }, - "ds_5QIbKzqF": { - "type": "ds.search", - "options": { - "query": "wazuh-alerts-4.x-sample | chart count by rule.groups", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_4" - }, - "ds_d9cN1Qn9": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" | stats count", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_5" - }, - "ds_ZPT4uVoe": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" rule.level>=12 | stats count", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_6" - }, - "ds_d8m0U7Ph": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=\"authentication_failed\" OR \"rule.groups{}\"=\"win_authentication_failed\" OR \"rule.groups{}\"=\"authentication_failures\" | stats count", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_7" - }, - "ds_7FDRhb5m": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=authentication_success | stats count", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_8" - }, - "ds_UIfFJptm": { - "type": "ds.search", - "options": { - "query": "wazuh-alerts-4.x-sample | stats count", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_9" - }, - "ds_z3i8WcOf": { - "type": "ds.search", - "options": { - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - }, - "query": "wazuh-alerts-4.x-sample rule.groups=\"authentication_failures\" | stats count by rule.groups" - }, - "name": "Search_10" - } - }, - "defaults": { - "dataSources": { - "ds.search": { - "options": { - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - } - } - } - }, - "inputs": { - "input_global_trp": { - "type": "input.timerange", - "options": { - "token": "global_time", - "defaultValue": "-60m@m,now" - }, - "title": "Global Time Range" - } - }, - "layout": { - "type": "grid", - "options": {}, - "structure": [ - { - "item": "viz_qYCIuSjF", - "type": "block", - "position": { - "x": 0, - "y": 0, - "w": 291, - "h": 137 - } - }, - { - "item": "viz_oAPKLE0R", - "type": "block", - "position": { - "x": 0, - "y": 137, - "w": 731, - "h": 326 - } - }, - { - "item": "viz_Y07WmZ1b", - "type": "block", - "position": { - "x": 0, - "y": 463, - "w": 1200, - "h": 400 - } - }, - { - "item": "viz_aTlMnG7A", - "type": "block", - "position": { - "x": 291, - "y": 0, - "w": 286, - "h": 137 - } - }, - { - "item": "viz_R8LMR6U6", - "type": "block", - "position": { - "x": 577, - "y": 0, - "w": 301, - "h": 137 - } - }, - { - "item": "viz_DI7fpctI", - "type": "block", - "position": { - "x": 731, - "y": 137, - "w": 469, - "h": 326 - } - }, - { - "item": "viz_nDMI4ZGW", - "type": "block", - "position": { - "x": 878, - "y": 0, - "w": 322, - "h": 137 - } - } - ], - "globalInputs": [ - "input_global_trp" - ] - }, - "description": "", - "title": "wazuh-security-events-v1.0" -} diff --git a/integrations/splunk/wazuh-vulnerabilities b/integrations/splunk/wazuh-vulnerabilities deleted file mode 100644 index a46023455e789..0000000000000 --- a/integrations/splunk/wazuh-vulnerabilities +++ /dev/null @@ -1,257 +0,0 @@ -{ - "visualizations": { - "viz_XlLyYDmC": { - "type": "splunk.area", - "dataSources": { - "primary": "ds_DljIxEDR" - }, - "options": { - "stackMode": "stacked", - "xAxisTitleText": "timestamp", - "yAxisTitleText": "count" - }, - "title": "Alert severity" - }, - "viz_qzFw5Wx7": { - "type": "splunk.table", - "options": {}, - "dataSources": { - "primary": "ds_Irx4cEkl" - } - }, - "viz_3V3AvVY4": { - "type": "splunk.singlevalueradial", - "dataSources": { - "primary": "ds_oyvgAG73" - }, - "title": "Critical Severity Alerts", - "options": { - "majorColor": "#db566f" - } - }, - "viz_cmEIbZ9q": { - "type": "splunk.singlevalueradial", - "dataSources": { - "primary": "ds_TVyYlSRA" - }, - "title": "Hight Severity Alerts", - "options": { - "majorColor": "#0258a1" - } - }, - "viz_4QSVuglC": { - "type": "splunk.singlevalueradial", - "dataSources": { - "primary": "ds_D0hAYmXA" - }, - "title": "Medium Severity Alerts", - "options": { - "majorColor": "#007d73" - } - }, - "viz_VI9ZdnSO": { - "type": "splunk.singlevalueradial", - "dataSources": { - "primary": "ds_1KrtDz29" - }, - "title": "Low Severity Alerts", - "options": { - "majorColor": "#232323" - } - } - }, - "dataSources": { - "ds_DljIxEDR": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" | timechart count by data.vulnerability.severity useother=false usenull=false", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_1" - }, - "ds_31leL1fM": { - "type": "ds.search", - "options": { - "query": "wazuh-alerts-4.x-sample | timechart count by data.vulnerability.severity", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_2" - }, - "ds_jymjmvtF": { - "type": "ds.search", - "options": { - "query": "wazuh-alerts-4.x-sample | timechart count by data.vulnerability.severity", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_3" - }, - "ds_jEwqnxee": { - "type": "ds.search", - "options": { - "query": "wazuh-alerts-4.x-sample | timechart count by data.vulnerability.severity", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_4" - }, - "ds_Irx4cEkl": { - "type": "ds.search", - "options": { - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - }, - "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"data.vulnerability.cve\"=\"*\", \"data.vulnerability.package.name\"=\"*\", \"data.vulnerability.package.version\"=\"*\", \"data.vulnerability.severity\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, data.vulnerability.cve, data.vulnerability.package.name, data.vulnerability.package.version, data.vulnerability.severity, rule.id\n\n" - }, - "name": "Search_5" - }, - "ds_oyvgAG73": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"data.vulnerability.severity\"=\"Critical\" | stats count by \"data.vulnerability.severity\"", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_6" - }, - "ds_TVyYlSRA": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"data.vulnerability.severity\"=\"High\" | stats count by \"data.vulnerability.severity\"", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_7" - }, - "ds_D0hAYmXA": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"data.vulnerability.severity\"=\"Medium\" | stats count by \"data.vulnerability.severity\"", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_8" - }, - "ds_1KrtDz29": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"data.vulnerability.severity\"=\"Low\" | stats count by \"data.vulnerability.severity\"", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_9" - } - }, - "defaults": { - "dataSources": { - "ds.search": { - "options": { - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - } - } - } - }, - "inputs": { - "input_global_trp": { - "type": "input.timerange", - "options": { - "token": "global_time", - "defaultValue": "-60m@m,now" - }, - "title": "Global Time Range" - } - }, - "layout": { - "type": "grid", - "options": {}, - "structure": [ - { - "item": "viz_3V3AvVY4", - "type": "block", - "position": { - "x": 0, - "y": 0, - "w": 279, - "h": 131 - } - }, - { - "item": "viz_XlLyYDmC", - "type": "block", - "position": { - "x": 0, - "y": 131, - "w": 1200, - "h": 284 - } - }, - { - "item": "viz_qzFw5Wx7", - "type": "block", - "position": { - "x": 0, - "y": 415, - "w": 1200, - "h": 251 - } - }, - { - "item": "viz_cmEIbZ9q", - "type": "block", - "position": { - "x": 279, - "y": 0, - "w": 293, - "h": 131 - } - }, - { - "item": "viz_4QSVuglC", - "type": "block", - "position": { - "x": 572, - "y": 0, - "w": 309, - "h": 131 - } - }, - { - "item": "viz_VI9ZdnSO", - "type": "block", - "position": { - "x": 881, - "y": 0, - "w": 319, - "h": 131 - } - } - ], - "globalInputs": [ - "input_global_trp" - ] - }, - "description": "", - "title": "wazuh-vulnerabilities-v1.0" -} diff --git a/integrations/tools/events-generator/.dockerignore b/integrations/tools/events-generator/.dockerignore deleted file mode 100644 index 0f028b576338e..0000000000000 --- a/integrations/tools/events-generator/.dockerignore +++ /dev/null @@ -1,2 +0,0 @@ -.venv -Dockerfile \ No newline at end of file diff --git a/integrations/tools/events-generator/.gitignore b/integrations/tools/events-generator/.gitignore deleted file mode 100644 index b694934fbf9b4..0000000000000 --- a/integrations/tools/events-generator/.gitignore +++ /dev/null @@ -1 +0,0 @@ -.venv \ No newline at end of file diff --git a/integrations/tools/events-generator/Dockerfile b/integrations/tools/events-generator/Dockerfile deleted file mode 100644 index da32f8c042017..0000000000000 --- a/integrations/tools/events-generator/Dockerfile +++ /dev/null @@ -1,4 +0,0 @@ -FROM python:3.9 -COPY . /home/events-generator/ -WORKDIR /home/events-generator -RUN pip install -r requirements.txt \ No newline at end of file diff --git a/integrations/tools/events-generator/README.md b/integrations/tools/events-generator/README.md deleted file mode 100644 index ac43631d9e2e1..0000000000000 --- a/integrations/tools/events-generator/README.md +++ /dev/null @@ -1,52 +0,0 @@ -### Events generator tool - -This python tool provides functionality to generate and index sample events for Wazuh's indices. - -#### Getting started - -Create a virtual environment to install the dependencies of the project. - -```console -python -m venv .venv -source .venv/bin/activate -pip install -r requirements.txt -``` - -Start the events' generator with `./run.py` or `python run.py`. The program takes no required -arguments, as it's configured with default values that will work in most cases during development. -To know more about its capabilities and arguments, display the help menu with `-h`. - -As for now, this tool generates events for the `wazuh-alerts-4.x-*` and `wazuh-archives-4.x-*` indices. -You may also need to create an **index pattern** in _dashboards_ in order to perform -queries to the index from the UI. To do that, go to Dashboards Management > Index Patterns > Create index pattern > wazuh-alerts-4.x-* > timestamp as Time field - -Newer indices, like `wazuh-states-vulnerabilities`, are ECS compliant and use a dedicated events' generator. -You can find it in the [ecs](../../../ecs/) folder. - - -```console -python run.py -o indexer -c 5 -t 1 -INFO:event_generator:Inventory created -INFO:event_generator:Publisher created -INFO:event_generator:Event created -{'_index': 'wazuh-alerts-4.x-2024.02.13-000001', '_id': 'dRWno40BZRXLJU5t0u6Z', '_version': 1, 'result': 'created', '_shards': {'total': 2, 'successful': 2, 'failed': 0}, '_seq_no': 168, '_primary_term': 1} -INFO:event_generator:Event created -{'_index': 'wazuh-alerts-4.x-2024.02.13-000001', '_id': 'dhWno40BZRXLJU5t1u6Y', '_version': 1, 'result': 'created', '_shards': {'total': 2, 'successful': 2, 'failed': 0}, '_seq_no': 169, '_primary_term': 1} -INFO:event_generator:Event created -{'_index': 'wazuh-alerts-4.x-2024.02.13-000001', '_id': 'dxWno40BZRXLJU5t2u6i', '_version': 1, 'result': 'created', '_shards': {'total': 2, 'successful': 2, 'failed': 0}, '_seq_no': 170, '_primary_term': 1} -INFO:event_generator:Event created -{'_index': 'wazuh-alerts-4.x-2024.02.13-000001', '_id': 'eBWno40BZRXLJU5t3u6v', '_version': 1, 'result': 'created', '_shards': {'total': 2, 'successful': 2, 'failed': 0}, '_seq_no': 171, '_primary_term': 1} -INFO:event_generator:Event created -{'_index': 'wazuh-alerts-4.x-2024.02.13-000001', '_id': 'eRWno40BZRXLJU5t4u66', '_version': 1, 'result': 'created', '_shards': {'total': 2, 'successful': 2, 'failed': 0}, '_seq_no': 172, '_primary_term': 1} -``` - -### Building the Docker image - -```console -docker build -t wazuh/indexer-events-generator:latest . -``` - -Run with: -```console -docker run -it --name=wazuh-indexer-events-generator --rm wazuh/indexer-events-generator python run.py -h -``` \ No newline at end of file diff --git a/integrations/tools/events-generator/requirements.txt b/integrations/tools/events-generator/requirements.txt deleted file mode 100644 index 37912b81ef184..0000000000000 --- a/integrations/tools/events-generator/requirements.txt +++ /dev/null @@ -1 +0,0 @@ -requests>=2.31.0 \ No newline at end of file diff --git a/integrations/tools/events-generator/run.py b/integrations/tools/events-generator/run.py deleted file mode 100644 index 8ecf69ada95ad..0000000000000 --- a/integrations/tools/events-generator/run.py +++ /dev/null @@ -1,205 +0,0 @@ -#!/usr/bin/python3 - -# Events generator tool for Wazuh's indices. -# Chooses a random element from /alerts.json to index -# Required. Destination of the events. Default: indexer. -# -c: Number of elements to push. Use 0 to run indefinitely. Default: 0 -# -i: index name prefix or module (e.g: wazuh-alerts, wazuh-states-vulnerabilities) -# -t: interval between events in seconds. Default: 5 -# when output is "indexer", the following parameters can be provided: -# -a: indexer's API IP address or hostname. -# -P: indexer's API port number. -# -u: username -# -p: password - - -from abc import ABC, abstractmethod -import argparse -import datetime -import logging -import random -import requests -import time -import json -import urllib3 -# import OpenSearch.opensearchpy - -logging.basicConfig(level=logging.NOTSET) -# Combination to supress certificates validation warning when verify=False -# https://github.com/influxdata/influxdb-python/issues/240#issuecomment-341313420 -logging.getLogger("urllib3").setLevel(logging.ERROR) -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - -logger = logging.getLogger("event_generator") - -# ================================================== # - - -class Inventory: - def __init__(self, path: str): - with open(path, "r") as fd: - self.elements = fd.readlines() - self.size = len(self.elements) - - def get_random(self) -> str: - """ - Returns the last element of the list - """ - random.shuffle(self.elements) - return self.elements[self.size-1] - -# ================================================== # - - -class Publisher(ABC): - @abstractmethod - def publish(self, event: str): - pass - -# ================================================== # - - -class PublisherClient(Publisher): - def __init__(self): - # self.client = OpenSearch( - # hosts... - # ) - pass - -# ================================================== # - - -class PublisherHttp(Publisher): - def __init__(self, address: str, port: int, path: str, user: str, password: str): - super() - self.address = address - self.port = port - self.path = path - self.username = user - self.password = password - - def url(self) -> str: - return f"https://{self.address}:{self.port}/{self.path}/_doc" - - def publish(self, event: str): - try: - result = requests.post( - self.url(), - auth=(self.username, self.password), - json=json.loads(event), - verify=False - ) - print(result.json()) - except json.JSONDecodeError as e: - logger.error("Error encoding event " + - event + "\n Caused by: " + e.msg) - -# ================================================== # - - -class PublisherCreator: - @staticmethod - def create(publisher: str, args) -> Publisher: - if publisher == "indexer": - address = args["address"] - port = args["port"] - path = args["index"] - username = args["username"] - password = args["password"] - - return PublisherHttp(address, port, path, username, password) - else: - raise ValueError("Unsupported publisher type") - -# ================================================== # - - -def date_now() -> str: - return datetime.datetime.now(datetime.timezone.utc).strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3]+'+0000' - -# ================================================== # - - -def parse_args(): - parser = argparse.ArgumentParser( - description="Events generator tool for Wazuh's indices. Indexes a random element from /alerts.json", - ) - parser.add_argument( - '-i', '--index', - default="wazuh-alerts-4.x-sample", - help="Destination index name or alias" - ) - parser.add_argument( - '-o', '--output', - choices=['indexer'], - default="indexer", - help="Destination of the events. Default: indexer." - ) - parser.add_argument( - '-m', '--module', - default="wazuh-alerts", - help="Wazuh module to read the alerts from (e.g: wazuh-alerts, wazuh-states-vulnerabilities). Must match a subfolder's name." - ) - # Infinite loop by default - parser.add_argument( - '-c', '--count', - default=0, - type=int, - help="Number of elements to push. Use 0 to run indefinitely. Default: 0" - ) - # Interval of time between events - parser.add_argument( - '-t', '--time', - default=5, - type=int, - help="Interval between events in seconds. Default: 5" - ) - parser.add_argument( - '-a', '--address', - default="localhost", - help="Indexer's API IP address or hostname." - ) - parser.add_argument( - '-P', '--port', - default=9200, - type=int, - help="Indexer's API port number." - ) - parser.add_argument( - '-u', '--username', - default="admin", - help="Indexer's username" - ) - parser.add_argument( - '-p', '--password', - default="admin", - help="Indexer's password" - ) - return parser.parse_args() - - -# ================================================== # - - -def main(args: dict): - inventory = Inventory(f"{args['module']}/alerts.json") - logger.info("Inventory created") - publisher = PublisherCreator.create(args["output"], args) - logger.info("Publisher created") - - count = 0 - max_iter = args["count"] - time_interval = args["time"] - while (count < max_iter or max_iter == 0): - chosen = inventory.get_random().replace("{timestamp}", date_now()) - logger.info("Event created") - publisher.publish(chosen) - - time.sleep(time_interval) - count += 1 - -# ================================================== # - - -if __name__ == '__main__': - main(vars(parse_args())) diff --git a/integrations/tools/events-generator/wazuh-alerts/alerts.json b/integrations/tools/events-generator/wazuh-alerts/alerts.json deleted file mode 100644 index d3aea442be327..0000000000000 --- a/integrations/tools/events-generator/wazuh-alerts/alerts.json +++ /dev/null @@ -1,1124 +0,0 @@ -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/log/lastlog","uname_after":"root","gname_after":"root","mtime_after":"2023-03-07T17:52:50.390Z","size_after":38,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":23315}} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-06T00:27:33.061Z","size_after":18,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":25973,"mtime_before":"2023-03-06T00:26:33.061Z","inode_before":81839,"sha1_after":"42b103c8ccf0f552e931159fdccf2072f1444842","changed_attributes":["sha1"],"md5_after":"896a6493ad8dd456f9a9d919d9c74a5e","sha256_after":"6cadaacded787afb101f14c9b404daed8c8800f19199a31024ce91ea1f26"}} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-03T06:38:30.327Z","size_after":46,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":27089}} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-06T15:35:43.101Z","size_after":47,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":94411}} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'tmp/.cheese'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'tmp/.cheese'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.b'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.b'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/.lpstree'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/.lpstree'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.font-unix/.cinik'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.font-unix/.cinik'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldlibps.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldlibps.so'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'tmp/.cheese'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'tmp/.cheese'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq.c'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq.c'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'lib/.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'lib/.so'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 5","id":"4598","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":57,"rule_title":"CIS-CAT 6","notchecked":1,"score":14,"pass":11,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":98,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 4","id":"4044","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":95,"rule_title":"CIS-CAT 6","notchecked":3,"score":23,"pass":6,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":12,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 3","id":"3932","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":51,"rule_title":"CIS-CAT 2","notchecked":4,"score":72,"pass":39,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":60,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 4","id":"1379","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":100,"rule_title":"CIS-CAT 5","notchecked":2,"score":5,"pass":86,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":9,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 4","id":"4454","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":0,"rule_title":"CIS-CAT 6","notchecked":4,"score":3,"pass":19,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":65,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 2","id":"3476","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":0,"rule_title":"CIS-CAT 3","notchecked":0,"score":62,"pass":70,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":75,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":1,"description":"Sample alert 4","id":"1453","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":46,"rule_title":"CIS-CAT 4","notchecked":3,"score":84,"pass":19,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":12,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 5","id":"1418","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":70,"rule_title":"CIS-CAT 3","notchecked":2,"score":74,"pass":41,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":90,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":6,"description":"Sample alert 2","id":"2726","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":80,"rule_title":"CIS-CAT 3","notchecked":4,"score":1,"pass":66,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":10,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 1","id":"4746","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":46,"rule_title":"CIS-CAT 2","notchecked":1,"score":55,"pass":84,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":78,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 5","id":"457","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":15,"rule_title":"CIS-CAT 1","notchecked":5,"score":42,"pass":85,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":27,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 2","id":"3248","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":79,"rule_title":"CIS-CAT 3","notchecked":2,"score":82,"pass":44,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":18,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 4","id":"5382","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":4,"rule_title":"CIS-CAT 4","notchecked":4,"score":31,"pass":12,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":14,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 3","id":"4840","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":66,"rule_title":"CIS-CAT 3","notchecked":2,"score":58,"pass":29,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":77,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 3","id":"4569","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":78,"rule_title":"CIS-CAT 6","notchecked":1,"score":79,"pass":1,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":20,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 1","id":"809","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":21,"rule_title":"CIS-CAT 1","notchecked":3,"score":76,"pass":13,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":47,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 4","id":"2098","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":16,"rule_title":"CIS-CAT 3","notchecked":1,"score":41,"pass":66,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":16,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 3","id":"2011","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":72,"rule_title":"CIS-CAT 1","notchecked":4,"score":59,"pass":67,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":7,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 5","id":"4506","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":12,"rule_title":"CIS-CAT 4","notchecked":1,"score":99,"pass":38,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":49,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 4","id":"1888","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":50,"rule_title":"CIS-CAT 4","notchecked":2,"score":87,"pass":17,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 5","id":"1059","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":94,"rule_title":"CIS-CAT 3","notchecked":3,"score":98,"pass":41,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":58,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 4","id":"531","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":96,"rule_title":"CIS-CAT 6","notchecked":3,"score":8,"pass":97,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 1","id":"986","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":39,"rule_title":"CIS-CAT 6","notchecked":4,"score":51,"pass":96,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 5","id":"3810","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":66,"rule_title":"CIS-CAT 1","notchecked":3,"score":84,"pass":91,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 1","id":"3495","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":74,"rule_title":"CIS-CAT 6","notchecked":0,"score":34,"pass":53,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":8,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 1","id":"116","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":99,"rule_title":"CIS-CAT 4","notchecked":1,"score":46,"pass":28,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":14,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 3","id":"3857","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":19,"rule_title":"CIS-CAT 3","notchecked":0,"score":7,"pass":27,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":88,"result":"unknown"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":1,"description":"Sample alert 2","id":"86","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":2,"rule_title":"CIS-CAT 4","notchecked":1,"score":30,"pass":41,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":11,"description":"Sample alert 3","id":"730","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":18,"rule_title":"CIS-CAT 5","notchecked":1,"score":60,"pass":75,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":77,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":6,"description":"Sample alert 2","id":"5482","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":16,"rule_title":"CIS-CAT 3","notchecked":1,"score":60,"pass":93,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 5","id":"5587","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":67,"rule_title":"CIS-CAT 3","notchecked":5,"score":7,"pass":48,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":97,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 2","id":"2761","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":92,"rule_title":"CIS-CAT 3","notchecked":3,"score":25,"pass":36,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":11,"description":"Sample alert 4","id":"3750","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":67,"rule_title":"CIS-CAT 6","notchecked":4,"score":44,"pass":73,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":3,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 4","id":"4685","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":2,"rule_title":"CIS-CAT 4","notchecked":3,"score":32,"pass":44,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":34,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 3","id":"1858","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":40,"rule_title":"CIS-CAT 4","notchecked":0,"score":98,"pass":12,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":62,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 1","id":"1740","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":0,"rule_title":"CIS-CAT 5","notchecked":1,"score":79,"pass":52,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":61,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 5","id":"4761","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":88,"rule_title":"CIS-CAT 1","notchecked":2,"score":8,"pass":58,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":21,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":11,"description":"Sample alert 5","id":"3621","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":9,"rule_title":"CIS-CAT 2","notchecked":5,"score":76,"pass":86,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":55,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 5","id":"5004","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":83,"rule_title":"CIS-CAT 5","notchecked":0,"score":45,"pass":34,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":17,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 3","id":"3909","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":91,"rule_title":"CIS-CAT 5","notchecked":3,"score":12,"pass":45,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":86,"result":"unknown"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 1","id":"940","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":57,"rule_title":"CIS-CAT 4","notchecked":1,"score":20,"pass":49,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":83,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 5","id":"5026","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":48,"rule_title":"CIS-CAT 6","notchecked":1,"score":5,"pass":46,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":6,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 4","id":"2301","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":68,"rule_title":"CIS-CAT 1","notchecked":5,"score":89,"pass":81,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":40,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 5","id":"4721","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":76,"rule_title":"CIS-CAT 1","notchecked":0,"score":13,"pass":59,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":23,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 2","id":"939","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":7,"rule_title":"CIS-CAT 1","notchecked":5,"score":5,"pass":76,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":55,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":1,"description":"Sample alert 1","id":"3683","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":55,"rule_title":"CIS-CAT 1","notchecked":1,"score":32,"pass":77,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":99,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 4","id":"4425","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":70,"rule_title":"CIS-CAT 5","notchecked":5,"score":68,"pass":60,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":96,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 5","id":"4845","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":87,"rule_title":"CIS-CAT 4","notchecked":1,"score":31,"pass":42,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":3,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 5","id":"4602","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":99,"rule_title":"CIS-CAT 2","notchecked":3,"score":17,"pass":25,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 2","id":"5863","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":1,"rule_title":"CIS-CAT 6","notchecked":3,"score":2,"pass":44,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":90,"result":"unknown"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 5","id":"3899","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":12,"rule_title":"CIS-CAT 2","notchecked":1,"score":68,"pass":60,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":88,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 3","id":"5802","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":68,"rule_title":"CIS-CAT 4","notchecked":3,"score":8,"pass":76,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":52,"result":"unknown"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 5","id":"2553","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":31,"rule_title":"CIS-CAT 5","notchecked":1,"score":71,"pass":74,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":96,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 3","id":"5515","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":67,"rule_title":"CIS-CAT 1","notchecked":4,"score":91,"pass":21,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":12,"result":"unknown"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 2","id":"3519","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":20,"rule_title":"CIS-CAT 6","notchecked":2,"score":62,"pass":79,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":42,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 4","id":"4891","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":46,"rule_title":"CIS-CAT 3","notchecked":3,"score":9,"pass":41,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":57,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 5","id":"4265","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":20,"rule_title":"CIS-CAT 2","notchecked":3,"score":48,"pass":12,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":45,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 2","id":"5205","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":98,"rule_title":"CIS-CAT 6","notchecked":1,"score":97,"pass":63,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":60,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 5","id":"507","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":58,"rule_title":"CIS-CAT 5","notchecked":0,"score":0,"pass":14,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":21,"result":"unknown"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 1","id":"3796","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":7,"rule_title":"CIS-CAT 6","notchecked":5,"score":18,"pass":11,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":46,"result":"unknown"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 4","id":"5794","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":20,"rule_title":"CIS-CAT 5","notchecked":3,"score":60,"pass":63,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":55,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":6,"description":"Sample alert 4","id":"188","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":6,"rule_title":"CIS-CAT 4","notchecked":0,"score":2,"pass":92,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":14,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 3","id":"2333","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":65,"rule_title":"CIS-CAT 3","notchecked":0,"score":49,"pass":25,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":78,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 5","id":"2835","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":94,"rule_title":"CIS-CAT 3","notchecked":1,"score":53,"pass":41,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":23,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":6,"description":"Sample alert 3","id":"5915","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":99,"rule_title":"CIS-CAT 1","notchecked":2,"score":36,"pass":38,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":60,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 5","id":"5311","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":58,"rule_title":"CIS-CAT 3","notchecked":4,"score":29,"pass":17,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 5","id":"4972","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":44,"rule_title":"CIS-CAT 3","notchecked":3,"score":27,"pass":23,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":18,"result":"unknown"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 4","id":"3913","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":71,"rule_title":"CIS-CAT 6","notchecked":2,"score":22,"pass":77,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":75,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 4","id":"3530","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":2,"rule_title":"CIS-CAT 1","notchecked":0,"score":22,"pass":64,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":11,"result":"unknown"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 1","id":"434","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":30,"rule_title":"CIS-CAT 1","notchecked":2,"score":65,"pass":55,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":24,"result":"unknown"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 2","id":"684","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":68,"rule_title":"CIS-CAT 2","notchecked":0,"score":11,"pass":26,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":77,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 4","id":"2819","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":23,"rule_title":"CIS-CAT 1","notchecked":1,"score":49,"pass":13,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":11,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 2","id":"702","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":44,"rule_title":"CIS-CAT 4","notchecked":5,"score":37,"pass":63,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":89,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 5","id":"1839","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":81,"rule_title":"CIS-CAT 6","notchecked":2,"score":2,"pass":1,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 4","id":"1899","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":85,"rule_title":"CIS-CAT 2","notchecked":1,"score":20,"pass":59,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":84,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 2","id":"2808","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":85,"rule_title":"CIS-CAT 2","notchecked":5,"score":46,"pass":31,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":10,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 5","id":"2840","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":97,"rule_title":"CIS-CAT 5","notchecked":3,"score":34,"pass":35,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":43,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 3","id":"5978","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":38,"rule_title":"CIS-CAT 1","notchecked":5,"score":58,"pass":71,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":85,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 5","id":"3237","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":88,"rule_title":"CIS-CAT 5","notchecked":1,"score":66,"pass":52,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":1,"description":"Sample alert 4","id":"2993","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":52,"rule_title":"CIS-CAT 1","notchecked":2,"score":25,"pass":68,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 5","id":"2141","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":67,"rule_title":"CIS-CAT 5","notchecked":4,"score":95,"pass":78,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":69,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 3","id":"5805","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":65,"rule_title":"CIS-CAT 1","notchecked":4,"score":44,"pass":36,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":91,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 2","id":"5561","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":76,"rule_title":"CIS-CAT 3","notchecked":4,"score":85,"pass":28,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":35,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 1","id":"2087","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":75,"rule_title":"CIS-CAT 6","notchecked":4,"score":54,"pass":58,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":4,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 2","id":"3402","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":11,"rule_title":"CIS-CAT 5","notchecked":5,"score":64,"pass":20,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":64,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 3","id":"5032","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":37,"rule_title":"CIS-CAT 4","notchecked":4,"score":0,"pass":11,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":70,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 2","id":"2352","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":87,"rule_title":"CIS-CAT 3","notchecked":3,"score":65,"pass":74,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":7,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 4","id":"5484","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":59,"rule_title":"CIS-CAT 5","notchecked":3,"score":65,"pass":26,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":79,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 3","id":"4635","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":28,"rule_title":"CIS-CAT 2","notchecked":5,"score":58,"pass":8,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":97,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 4","id":"426","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":62,"rule_title":"CIS-CAT 3","notchecked":5,"score":23,"pass":83,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":15,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":1,"description":"Sample alert 5","id":"1567","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":26,"rule_title":"CIS-CAT 6","notchecked":4,"score":29,"pass":54,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":88,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 5","id":"3333","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":49,"rule_title":"CIS-CAT 2","notchecked":0,"score":51,"pass":2,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":41,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 3","id":"3284","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":48,"rule_title":"CIS-CAT 5","notchecked":4,"score":18,"pass":87,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":33,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 3","id":"2626","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":89,"rule_title":"CIS-CAT 1","notchecked":4,"score":53,"pass":62,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":54,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 2","id":"422","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":84,"rule_title":"CIS-CAT 6","notchecked":4,"score":99,"pass":82,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":60,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 4","id":"112","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":41,"rule_title":"CIS-CAT 4","notchecked":2,"score":16,"pass":92,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":96,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 2","id":"5565","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":91,"rule_title":"CIS-CAT 6","notchecked":2,"score":33,"pass":77,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":32,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 2","id":"2565","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":26,"rule_title":"CIS-CAT 4","notchecked":0,"score":96,"pass":30,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":4,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 1","id":"3334","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":71,"rule_title":"CIS-CAT 1","notchecked":5,"score":98,"pass":34,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":48,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 2","id":"5080","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":65,"rule_title":"CIS-CAT 4","notchecked":3,"score":83,"pass":52,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":98,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 2","id":"2309","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":70,"rule_title":"CIS-CAT 4","notchecked":3,"score":31,"pass":52,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":78,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 4","id":"4820","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":6,"rule_title":"CIS-CAT 6","notchecked":2,"score":0,"pass":7,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":36,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 5","id":"5126","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":3,"rule_title":"CIS-CAT 2","notchecked":1,"score":19,"pass":83,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":5,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 2","id":"5305","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":99,"rule_title":"CIS-CAT 1","notchecked":0,"score":0,"pass":20,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":46,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 2","id":"925","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":43,"rule_title":"CIS-CAT 6","notchecked":1,"score":75,"pass":28,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":52,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":6,"description":"Sample alert 2","id":"277","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":86,"rule_title":"CIS-CAT 3","notchecked":5,"score":84,"pass":54,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":63,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 2","id":"77","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":10,"rule_title":"CIS-CAT 2","notchecked":1,"score":46,"pass":37,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":35,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 2","id":"1151","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":93,"rule_title":"CIS-CAT 3","notchecked":3,"score":13,"pass":42,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 2","id":"3752","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":55,"rule_title":"CIS-CAT 4","notchecked":3,"score":54,"pass":20,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":62,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 3","id":"2291","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":23,"rule_title":"CIS-CAT 5","notchecked":1,"score":95,"pass":68,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":97,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 4","id":"2466","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":89,"rule_title":"CIS-CAT 6","notchecked":0,"score":42,"pass":25,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":69,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 3","id":"598","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":54,"rule_title":"CIS-CAT 2","notchecked":2,"score":32,"pass":64,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":23,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 5","id":"4816","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":95,"rule_title":"CIS-CAT 6","notchecked":2,"score":11,"pass":98,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":6,"description":"Sample alert 3","id":"3079","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":30,"rule_title":"CIS-CAT 5","notchecked":1,"score":57,"pass":35,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":33,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 5","id":"4497","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":17,"rule_title":"CIS-CAT 4","notchecked":4,"score":84,"pass":31,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":67,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 3","id":"5071","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":36,"rule_title":"CIS-CAT 1","notchecked":0,"score":0,"pass":77,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":72,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 5","id":"2703","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":90,"rule_title":"CIS-CAT 5","notchecked":3,"score":73,"pass":6,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":6,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2015-2987 affects ed","id":"23503","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ed","version":"1.10-2.1","architecture":"amd64","condition":"Package less or equal than 3.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.600000"}},"cve":"CVE-2015-2987","title":"Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.","severity":"Low","published":"2015-08-28","updated":"2015-08-31","state":"Fixed","cwe_reference":"CWE-17","references":["http://jvn.jp/en/jp/JVN91474878/index.html","http://jvndb.jvn.jp/jvndb/JVNDB-2015-000119","http://type74.org/edman5-1.php","http://type74org.blog14.fc2.com/blog-entry-1384.html","https://nvd.nist.gov/vuln/detail/CVE-2015-2987"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2020-8631 affects grub-legacy-ec2","id":"23503","firedtimes":32,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"grub-legacy-ec2","source":"cloud-init","version":"19.4-33-gbb4131a2-0ubuntu1~16.04.1","architecture":"all","condition":"Package less or equal than 19.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"}},"cve":"CVE-2020-8631","title":"CVE-2020-8631 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.","severity":"Low","published":"2020-02-05","updated":"2020-02-21","state":"Fixed","cwe_reference":"CWE-330","references":["http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00042.html","https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1860795","https://github.com/canonical/cloud-init/pull/204","https://lists.debian.org/debian-lts-announce/2020/02/msg00021.html","https://nvd.nist.gov/vuln/detail/CVE-2020-8631","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8631.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8631"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-utils","id":"23504","firedtimes":193,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-utils","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-7738 affects mount","id":"23505","firedtimes":128,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"mount","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-20482 affects tar","id":"23504","firedtimes":88,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"tar","version":"1.29b-2ubuntu0.1","architecture":"amd64","condition":"Package less or equal than 1.30"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.700000"}},"cve":"CVE-2018-20482","title":"CVE-2018-20482 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-835","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917377","https://bugzilla.redhat.com/show_bug.cgi?id=1662346"],"references":["http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454","http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html","http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html","http://www.securityfocus.com/bid/106354","https://lists.debian.org/debian-lts-announce/2018/12/msg00023.html","https://news.ycombinator.com/item?id=18745431","https://security.gentoo.org/glsa/201903-05","https://twitter.com/thatcks/status/1076166645708668928","https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug","https://nvd.nist.gov/vuln/detail/CVE-2018-20482","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20482.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20482"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2017-14988 affects libopenexr22","id":"23504","firedtimes":189,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libopenexr22","source":"openexr","version":"2.2.0-11.1ubuntu1.2","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-14988","title":"** DISPUTED ** Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file that is accessed with the ImfOpenInputFile function in IlmImf/ImfCRgbaFile.cpp. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid.","severity":"Medium","published":"2017-10-03","updated":"2019-09-23","state":"Pending confirmation","cwe_reference":"CWE-400","references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00063.html","https://github.com/openexr/openexr/issues/248","https://nvd.nist.gov/vuln/detail/CVE-2017-14988"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2016-7948 affects libxrandr2","id":"23506","firedtimes":84,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7948","title":"CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93373","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7948","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2013-4235 affects passwd","id":"23503","firedtimes":21,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"passwd","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2016-7948 affects libxrandr2","id":"23506","firedtimes":84,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7948","title":"CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93373","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7948","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2015-5191 affects open-vm-tools","id":"23504","firedtimes":396,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"open-vm-tools","version":"2:10.2.0-3~ubuntu0.16.04.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.700000"}},"cve":"CVE-2015-5191","title":"CVE-2015-5191 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"VMware Tools prior to 10.0.9 contains multiple file system races in libDeployPkg, related to the use of hard-coded paths under /tmp. Successful exploitation of this issue may result in a local privilege escalation. CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","severity":"Medium","published":"2017-07-28","updated":"2017-08-08","state":"Unfixed","cwe_reference":"CWE-362","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869633"],"references":["http://www.securityfocus.com/bid/100011","http://www.securitytracker.com/id/1039013","https://www.vmware.com/security/advisories/VMSA-2017-0013.html","https://nvd.nist.gov/vuln/detail/CVE-2015-5191","http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5191.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5191"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17595 affects ncurses-base","id":"23504","firedtimes":222,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ncurses-base","source":"ncurses","version":"6.1-1ubuntu1.18.04","architecture":"all","condition":"Package less than 6.1.20191012"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"partial"},"base_score":"5.800000"}},"cve":"CVE-2019-17595","title":"CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.","severity":"Medium","published":"2019-10-14","updated":"2019-12-23","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2019-17595","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2017-18018 affects coreutils","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"coreutils","version":"8.28-1ubuntu1","architecture":"amd64","condition":"Package less or equal than 8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"high","availability":"none"},"base_score":"4.700000"}},"cve":"CVE-2017-18018","title":"CVE-2017-18018 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.","severity":"Medium","published":"2018-01-04","updated":"2018-01-19","state":"Fixed","cwe_reference":"CWE-362","references":["http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2017-18018","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18018.html","http://www.openwall.com/lists/oss-security/2018/01/04/3","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-bin","id":"23504","firedtimes":191,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-bin","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-20483 affects wget","id":"23505","firedtimes":175,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"wget","version":"1.17.1-1ubuntu1.5","architecture":"amd64","condition":"Package less than 1.20.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-20483","title":"set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.","severity":"High","published":"2018-12-26","updated":"2019-04-09","state":"Fixed","cwe_reference":"CWE-255","references":["http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS","http://www.securityfocus.com/bid/106358","https://access.redhat.com/errata/RHSA-2019:3701","https://security.gentoo.org/glsa/201903-08","https://security.netapp.com/advisory/ntap-20190321-0002/","https://twitter.com/marcan42/status/1077676739877232640","https://usn.ubuntu.com/3943-1/","https://nvd.nist.gov/vuln/detail/CVE-2018-20483"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2017-12588 affects rsyslog","id":"23506","firedtimes":64,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsyslog","version":"8.16.0-1ubuntu3.1","architecture":"amd64","condition":"Package less or equal than 8.27.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-12588","title":"The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.","severity":"Critical","published":"2017-08-06","updated":"2017-08-14","state":"Fixed","cwe_reference":"CWE-134","references":["https://github.com/rsyslog/rsyslog/blob/master/ChangeLog","https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b","https://github.com/rsyslog/rsyslog/pull/1565","https://nvd.nist.gov/vuln/detail/CVE-2017-12588"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-8769 affects elfutils","id":"23505","firedtimes":45,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"elfutils","version":"0.170-0.4ubuntu0.1","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-8769","title":"elfutils 0.170 has a buffer over-read in the ebl_dynamic_tag_name function of libebl/ebldynamictagname.c because SYMTAB_SHNDX is unsupported.","severity":"High","published":"2018-03-18","updated":"2019-10-03","state":"Pending confirmation","cwe_reference":"CWE-125","references":["https://sourceware.org/bugzilla/show_bug.cgi?id=22976","https://nvd.nist.gov/vuln/detail/CVE-2018-8769"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-7738 affects uuid-runtime","id":"23505","firedtimes":130,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2015-5191 affects open-vm-tools","id":"23504","firedtimes":396,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"open-vm-tools","version":"2:10.2.0-3~ubuntu0.16.04.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.700000"}},"cve":"CVE-2015-5191","title":"CVE-2015-5191 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"VMware Tools prior to 10.0.9 contains multiple file system races in libDeployPkg, related to the use of hard-coded paths under /tmp. Successful exploitation of this issue may result in a local privilege escalation. CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","severity":"Medium","published":"2017-07-28","updated":"2017-08-08","state":"Unfixed","cwe_reference":"CWE-362","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869633"],"references":["http://www.securityfocus.com/bid/100011","http://www.securitytracker.com/id/1039013","https://www.vmware.com/security/advisories/VMSA-2017-0013.html","https://nvd.nist.gov/vuln/detail/CVE-2015-5191","http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5191.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5191"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2017-7244 affects libpcre3","id":"23504","firedtimes":265,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libpcre3","source":"pcre3","version":"2:8.38-3.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-7244","title":"CVE-2017-7244 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.","severity":"Medium","published":"2017-03-23","updated":"2018-08-17","state":"Unfixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858683","https://bugs.exim.org/show_bug.cgi?id=2052","https://bugs.exim.org/show_bug.cgi?id=2054"],"references":["http://www.securityfocus.com/bid/97067","https://access.redhat.com/errata/RHSA-2018:2486","https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/","https://security.gentoo.org/glsa/201710-25","https://nvd.nist.gov/vuln/detail/CVE-2017-7244","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7244.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2019-3843 affects systemd","id":"23505","firedtimes":134,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"systemd","version":"229-4ubuntu21.27","architecture":"amd64","condition":"Package less than 242"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"4.600000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2019-3843","title":"It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.","severity":"High","published":"2019-04-26","updated":"2019-06-19","state":"Fixed","cwe_reference":"CWE-264","references":["http://www.securityfocus.com/bid/108116","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/","https://security.netapp.com/advisory/ntap-20190619-0002/","https://usn.ubuntu.com/4269-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-3843"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-client","id":"23504","firedtimes":197,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-client","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2017-7244 affects libpcre3","id":"23504","firedtimes":265,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libpcre3","source":"pcre3","version":"2:8.38-3.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-7244","title":"CVE-2017-7244 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.","severity":"Medium","published":"2017-03-23","updated":"2018-08-17","state":"Unfixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858683","https://bugs.exim.org/show_bug.cgi?id=2052","https://bugs.exim.org/show_bug.cgi?id=2054"],"references":["http://www.securityfocus.com/bid/97067","https://access.redhat.com/errata/RHSA-2018:2486","https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/","https://security.gentoo.org/glsa/201710-25","https://nvd.nist.gov/vuln/detail/CVE-2017-7244","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7244.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-20217 affects libkrb5-3","id":"23504","firedtimes":254,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libkrb5-3","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"single","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"3.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.300000"}},"cve":"CVE-2018-20217","title":"CVE-2018-20217 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Unfixed","cwe_reference":"CWE-617","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387","http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763"],"references":["http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763","https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086","https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/","https://security.netapp.com/advisory/ntap-20190416-0006/","https://nvd.nist.gov/vuln/detail/CVE-2018-20217","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-1547 affects libssl1.0.0","id":"23503","firedtimes":35,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libssl1.0.0","source":"openssl","version":"1.0.2g-1ubuntu4.15","architecture":"amd64","condition":"Package greater or equal than 1.0.2 and less or equal than 1.0.2s"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"1.900000"}},"cve":"CVE-2019-1547","title":"CVE-2019-1547 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-09-10","updated":"2019-09-12","state":"Fixed","cwe_reference":"CWE-311","references":["http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html","http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html","http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html","https://arxiv.org/abs/1909.01785","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a","https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/","https://seclists.org/bugtraq/2019/Oct/0","https://seclists.org/bugtraq/2019/Oct/1","https://seclists.org/bugtraq/2019/Sep/25","https://security.gentoo.org/glsa/201911-04","https://security.netapp.com/advisory/ntap-20190919-0002/","https://security.netapp.com/advisory/ntap-20200122-0002/","https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS","https://www.debian.org/security/2019/dsa-4539","https://www.debian.org/security/2019/dsa-4540","https://www.openssl.org/news/secadv/20190910.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1547","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1547.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547","https://usn.ubuntu.com/usn/usn-4376-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2019-15847 affects gcc","id":"23505","firedtimes":86,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gcc","source":"gcc-defaults","version":"4:7.4.0-1ubuntu2.3","architecture":"amd64","condition":"Package less than 10.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"7.500000"}},"cve":"CVE-2019-15847","title":"CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.","severity":"High","published":"2019-09-02","updated":"2020-05-26","state":"Fixed","cwe_reference":"CWE-331","bugzilla_references":["https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481","https://nvd.nist.gov/vuln/detail/CVE-2019-15847","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15847.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15847"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2018-6485 affects libc-bin","id":"23506","firedtimes":78,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.26"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2018-6485","title":"CVE-2018-6485 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.","severity":"Critical","published":"2018-02-01","updated":"2019-12-10","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["http://bugs.debian.org/878159","https://sourceware.org/bugzilla/show_bug.cgi?id=22343"],"references":["http://bugs.debian.org/878159","http://www.securityfocus.com/bid/102912","https://access.redhat.com/errata/RHBA-2019:0327","https://access.redhat.com/errata/RHSA-2018:3092","https://security.netapp.com/advisory/ntap-20190404-0003/","https://sourceware.org/bugzilla/show_bug.cgi?id=22343","https://usn.ubuntu.com/4218-1/","https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","https://nvd.nist.gov/vuln/detail/CVE-2018-6485","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6485.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485","https://usn.ubuntu.com/usn/usn-4218-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-20217 affects libkrb5-3","id":"23504","firedtimes":254,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libkrb5-3","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"single","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"3.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.300000"}},"cve":"CVE-2018-20217","title":"CVE-2018-20217 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Unfixed","cwe_reference":"CWE-617","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387","http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763"],"references":["http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763","https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086","https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/","https://security.netapp.com/advisory/ntap-20190416-0006/","https://nvd.nist.gov/vuln/detail/CVE-2018-20217","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-19232 affects sudo","id":"23504","firedtimes":398,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.16-0ubuntu1.9","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-19232","title":"CVE-2019-19232 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.","severity":"Medium","published":"2019-12-19","updated":"2020-01-30","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947225"],"references":["http://seclists.org/fulldisclosure/2020/Mar/31","https://access.redhat.com/security/cve/cve-2019-19232","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs76870","https://security.netapp.com/advisory/ntap-20200103-0004/","https://support.apple.com/en-gb/HT211100","https://support.apple.com/kb/HT211100","https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19232","https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5506","https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html","https://www.oracle.com/security-alerts/bulletinapr2020.html","https://www.sudo.ws/devel.html#1.8.30b2","https://www.sudo.ws/stable.html","https://www.tenable.com/plugins/nessus/133936","https://nvd.nist.gov/vuln/detail/CVE-2019-19232","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19232.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2016-7948 affects libxrandr2","id":"23506","firedtimes":84,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7948","title":"CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93373","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7948","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2017-18018 affects coreutils","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"coreutils","version":"8.28-1ubuntu1","architecture":"amd64","condition":"Package less or equal than 8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"high","availability":"none"},"base_score":"4.700000"}},"cve":"CVE-2017-18018","title":"CVE-2017-18018 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.","severity":"Medium","published":"2018-01-04","updated":"2018-01-19","state":"Fixed","cwe_reference":"CWE-362","references":["http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2017-18018","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18018.html","http://www.openwall.com/lists/oss-security/2018/01/04/3","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-19645 affects sqlite3","id":"23503","firedtimes":19,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-19645 affects libsqlite3-0","id":"23503","firedtimes":18,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libsqlite3-0","source":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2019-20079 affects vim","id":"23505","firedtimes":109,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"vim","version":"2:7.4.1689-3ubuntu1.4","architecture":"amd64","condition":"Package less than 8.1.2136"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2019-20079","title":"The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.","severity":"High","published":"2019-12-30","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-416","references":["https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421","https://github.com/vim/vim/compare/v8.1.2135...v8.1.2136","https://packetstormsecurity.com/files/154898","https://usn.ubuntu.com/4309-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-20079"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2017-9502 affects curl","id":"23504","firedtimes":334,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"curl","version":"7.47.0-1ubuntu2.14","architecture":"amd64","condition":"Package less or equal than 7.54.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"low"},"base_score":"5.300000"}},"cve":"CVE-2017-9502","title":"In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based memory buffer with seven bytes. If the default protocol is specified to be FILE or a file: URL lacks two slashes, the given \"URL\" starts with a drive letter, and libcurl is built for Windows or DOS, then libcurl would copy the path 7 bytes off, so that the end of the given path would write beyond the malloc buffer (7 bytes being the length in bytes of the ascii string \"file://\").","severity":"Medium","published":"2017-06-14","updated":"2017-07-08","state":"Fixed","cwe_reference":"CWE-119","references":["http://openwall.com/lists/oss-security/2017/06/14/1","http://www.securityfocus.com/bid/99120","http://www.securitytracker.com/id/1038697","https://curl.haxx.se/docs/adv_20170614.html","https://nvd.nist.gov/vuln/detail/CVE-2017-9502"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2017-12588 affects rsyslog","id":"23506","firedtimes":64,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsyslog","version":"8.16.0-1ubuntu3.1","architecture":"amd64","condition":"Package less or equal than 8.27.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-12588","title":"The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.","severity":"Critical","published":"2017-08-06","updated":"2017-08-14","state":"Fixed","cwe_reference":"CWE-134","references":["https://github.com/rsyslog/rsyslog/blob/master/ChangeLog","https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b","https://github.com/rsyslog/rsyslog/pull/1565","https://nvd.nist.gov/vuln/detail/CVE-2017-12588"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17540 affects libmagickcore-6.q16-3","id":"23504","firedtimes":5,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libmagickcore-6.q16-3","source":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2017-18342 affects python3-yaml","id":"23506","firedtimes":65,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.11-3build1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-18342","title":"CVE-2017-18342 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.","severity":"Critical","published":"2018-06-27","updated":"2019-06-24","state":"Unfixed","cwe_reference":"CWE-20","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902878"],"references":["https://github.com/marshmallow-code/apispec/issues/278","https://github.com/yaml/pyyaml/blob/master/CHANGES","https://github.com/yaml/pyyaml/issues/193","https://github.com/yaml/pyyaml/pull/74","https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/","https://security.gentoo.org/glsa/202003-45","https://nvd.nist.gov/vuln/detail/CVE-2017-18342","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18342.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2019-13050 affects gnupg","id":"23505","firedtimes":114,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gnupg","version":"1.4.20-1ubuntu3.3","architecture":"amd64","condition":"Package less or equal than 2.2.16"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"7.500000"}},"cve":"CVE-2019-13050","title":"CVE-2019-13050 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.","severity":"High","published":"2019-06-29","updated":"2019-07-09","state":"Fixed","cwe_reference":"CWE-297","bugzilla_references":["https://bugs.launchpad.net/bugs/1844059","https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-13050","https://dev.gnupg.org/T4591","https://dev.gnupg.org/T4607","https://dev.gnupg.org/T4628"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html","https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUK2YRO6QIH64WP2LRA5D4LACTXQPPU4/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CP4ON34YEXEZDZOXXWV43KVGGO6WZLJ5/","https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html","https://support.f5.com/csp/article/K08654551","https://support.f5.com/csp/article/K08654551?utm_source=f5support&utm_medium=RSS","https://twitter.com/lambdafu/status/1147162583969009664","https://nvd.nist.gov/vuln/detail/CVE-2019-13050","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2015-2987 affects ed","id":"23503","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ed","version":"1.10-2.1","architecture":"amd64","condition":"Package less or equal than 3.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.600000"}},"cve":"CVE-2015-2987","title":"Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.","severity":"Low","published":"2015-08-28","updated":"2015-08-31","state":"Fixed","cwe_reference":"CWE-17","references":["http://jvn.jp/en/jp/JVN91474878/index.html","http://jvndb.jvn.jp/jvndb/JVNDB-2015-000119","http://type74.org/edman5-1.php","http://type74org.blog14.fc2.com/blog-entry-1384.html","https://nvd.nist.gov/vuln/detail/CVE-2015-2987"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-utils","id":"23504","firedtimes":193,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-utils","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2017-15088 affects krb5-locales","id":"23506","firedtimes":73,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"krb5-locales","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15088","title":"CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.","severity":"Critical","published":"2017-11-23","updated":"2019-10-09","state":"Unfixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698"],"references":["http://www.securityfocus.com/bid/101594","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698","https://bugzilla.redhat.com/show_bug.cgi?id=1504045","https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4","https://github.com/krb5/krb5/pull/707","https://nvd.nist.gov/vuln/detail/CVE-2017-15088","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-1010204 affects binutils","id":"23504","firedtimes":369,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"binutils","version":"2.26.1-1ubuntu1~16.04.8","architecture":"amd64","condition":"Package greater or equal than 2.21 and less or equal than 2.31.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2019-1010204","title":"CVE-2019-1010204 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.","severity":"Medium","published":"2019-07-23","updated":"2019-08-22","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://sourceware.org/bugzilla/show_bug.cgi?id=23765"],"references":["https://security.netapp.com/advisory/ntap-20190822-0001/","https://sourceware.org/bugzilla/show_bug.cgi?id=23765","https://support.f5.com/csp/article/K05032915?utm_source=f5support&utm_medium=RSS","https://nvd.nist.gov/vuln/detail/CVE-2019-1010204","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1010204.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-19645 affects sqlite3","id":"23503","firedtimes":19,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17595 affects ncurses-base","id":"23504","firedtimes":222,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ncurses-base","source":"ncurses","version":"6.1-1ubuntu1.18.04","architecture":"all","condition":"Package less than 6.1.20191012"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"partial"},"base_score":"5.800000"}},"cve":"CVE-2019-17595","title":"CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.","severity":"Medium","published":"2019-10-14","updated":"2019-12-23","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2019-17595","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-client","id":"23504","firedtimes":197,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-client","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2019-20079 affects vim","id":"23505","firedtimes":109,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"vim","version":"2:7.4.1689-3ubuntu1.4","architecture":"amd64","condition":"Package less than 8.1.2136"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2019-20079","title":"The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.","severity":"High","published":"2019-12-30","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-416","references":["https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421","https://github.com/vim/vim/compare/v8.1.2135...v8.1.2136","https://packetstormsecurity.com/files/154898","https://usn.ubuntu.com/4309-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-20079"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2017-15088 affects krb5-locales","id":"23506","firedtimes":73,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"krb5-locales","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15088","title":"CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.","severity":"Critical","published":"2017-11-23","updated":"2019-10-09","state":"Unfixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698"],"references":["http://www.securityfocus.com/bid/101594","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698","https://bugzilla.redhat.com/show_bug.cgi?id=1504045","https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4","https://github.com/krb5/krb5/pull/707","https://nvd.nist.gov/vuln/detail/CVE-2017-15088","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-19645 affects libsqlite3-0","id":"23503","firedtimes":18,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libsqlite3-0","source":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-7738 affects util-linux","id":"23505","firedtimes":129,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17595 affects ncurses-base","id":"23504","firedtimes":222,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ncurses-base","source":"ncurses","version":"6.1-1ubuntu1.18.04","architecture":"all","condition":"Package less than 6.1.20191012"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"partial"},"base_score":"5.800000"}},"cve":"CVE-2019-17595","title":"CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.","severity":"Medium","published":"2019-10-14","updated":"2019-12-23","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2019-17595","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2019-13050 affects gnupg","id":"23505","firedtimes":114,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gnupg","version":"1.4.20-1ubuntu3.3","architecture":"amd64","condition":"Package less or equal than 2.2.16"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"7.500000"}},"cve":"CVE-2019-13050","title":"CVE-2019-13050 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.","severity":"High","published":"2019-06-29","updated":"2019-07-09","state":"Fixed","cwe_reference":"CWE-297","bugzilla_references":["https://bugs.launchpad.net/bugs/1844059","https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-13050","https://dev.gnupg.org/T4591","https://dev.gnupg.org/T4607","https://dev.gnupg.org/T4628"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html","https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUK2YRO6QIH64WP2LRA5D4LACTXQPPU4/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CP4ON34YEXEZDZOXXWV43KVGGO6WZLJ5/","https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html","https://support.f5.com/csp/article/K08654551","https://support.f5.com/csp/article/K08654551?utm_source=f5support&utm_medium=RSS","https://twitter.com/lambdafu/status/1147162583969009664","https://nvd.nist.gov/vuln/detail/CVE-2019-13050","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Canada", "location": {"lat": 49.2496605, "lon": -123.119339}, "region_name": "Vancouver", "city_name": "Vancouver"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 2.25.80.45] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Spain", "location": {"lat": 37.1881714, "lon": -3.6066699}, "region_name": "Andaluc\u00eda", "city_name": "Granada"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 70.24.101.214] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Brasil", "location": {"lat": -22.9064198, "lon": -43.1822319}, "region_name": "R\u00edo de Janeiro", "city_name": "R\u00edo de Janeiro"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 75.0.101.245] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Germany", "location": {"lat": 52.524, "lon": 13.411}, "region_name": "Berlin", "city_name": "Berlin"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Germany", "location": {"lat": 52.524, "lon": 13.411}, "region_name": "Berlin", "city_name": "Berlin"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 2.25.80.45] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "United States of America", "location": {"lat": 40.7142715, "lon": -74.0059662}, "region_name": "New York", "city_name": "New York"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "Docker: Container nginx_container restarted", "groups": ["docker"], "id": "87909", "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "restart", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "nginx_container", "maintainer": "NGINX Docker Maintainers "}, "ID": "5f91cd9a9f4c5b370b7314c29cc8a2a28c72a61f9659953fa75df643502b3693"}, "scope": "local", "timeNano": "1586460544801840896.000000", "from": "nginx", "time": "1586460544", "status": "restart"}}, "location": ""} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "Docker: Container test_container received the action: die", "groups": ["docker"], "id": "87928", "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "die", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "test_container", "exitCode": "0", "maintainer": "NGINX Docker Maintainers "}, "ID": "6d145b0c801fce46301fa96354d0ea29e4b1ea82fe7021799a01e2abe04a18c8"}, "scope": "local", "timeNano": "1587084648640092672.000000", "from": "nginx", "time": "1587084648", "status": "die"}}, "location": ""} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "Docker: Container test_container started", "groups": ["docker"], "id": "87928"}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "start", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "test_container", "maintainer": "NGINX Docker Maintainers "}, "ID": "ebe3de16ea5b18aecc216f1cabbab887fd7aa7408dbd761719cd69b3089120fa"}, "scope": "local", "timeNano": "1587084600046795264.000000", "from": "nginx", "time": "1587084600", "status": "start"}}, "location": ""} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "Docker: Network bridge connected", "groups": ["docker"], "id": "87928"}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "connect", "Type": "network", "Actor": {"Attributes": {"container": "fcaa90b845d05ec7ae7a5097a8596b35edf6d368a00f93fe9872a6d5b1449bb9", "name": "bridge", "type": "bridge"}, "ID": "d69c82315c95fee242619571726ead25f9447065db44e814bd3e07ea00daebb2"}, "scope": "local", "timeNano": "1587084599776133888.000000", "time": "1587084599"}}, "location": ""} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 4, "description": "Docker: Network bridge disconnected", "groups": ["docker"], "id": "87929", "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "disconnect", "Type": "network", "Actor": {"Attributes": {"container": "555b9855a3d5f97bc5156e3d61bcd67ef236f2875cdfaf4e49659c085c69f942", "name": "bridge", "type": "bridge"}, "ID": "26fc9c96a6d0077c55b4ab068408df1be2c77789254262ae65d4f469b7f520fb"}, "scope": "local", "timeNano": "1586460544485358336.000000", "time": "1586460544"}}, "location": ""} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 7, "description": "Docker: Container nginx_container received the action: kill", "groups": ["docker"], "id": "87924", "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "kill", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "nginx_container", "signal": "15", "maintainer": "NGINX Docker Maintainers "}, "ID": "a5f7bce90032373cf7f6a489ba8ba19744dafef91a5f9eac072e3f7265475ac2"}, "scope": "local", "timeNano": "1586460544324527616.000000", "from": "nginx", "time": "1586460544", "status": "kill"}}, "location": ""} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 10, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 187.234.16.206] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Brasil", "location": {"lat": -22.9064198, "lon": -43.1822319}, "region_name": "R\u00edo de Janeiro", "city_name": "R\u00edo de Janeiro"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 10, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 187.234.16.206] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "India", "location": {"lat": 19.0728302, "lon": 72.8826065}, "region_name": "Bombay", "city_name": "Bombay"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 10, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 70.24.101.214] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Brasil", "location": {"lat": -22.9064198, "lon": -43.1822319}, "region_name": "R\u00edo de Janeiro", "city_name": "R\u00edo de Janeiro"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 10, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 75.0.101.245] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Spain", "location": {"lat": 37.1881714, "lon": -3.6066699}, "region_name": "Andaluc\u00eda", "city_name": "Granada"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 2, "mail": false, "level": 3, "description": "Docker: Container nginx_container stopped", "groups": ["docker"], "id": "87904", "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "stop", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "nginx_container", "maintainer": "NGINX Docker Maintainers "}, "ID": "1645a13ddb2f0ff8f5615b4535e57d4f08b6e444effc71b21962473edbffa758"}, "scope": "local", "timeNano": "1586461541373152000.000000", "from": "nginx", "time": "1586461541", "status": "stop"}}, "location": ""} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 2, "mail": false, "level": 5, "pci_dss": ["10.2.7"], "description": "Docker: Started shell session in container nginx_container", "groups": ["docker"], "id": "87908", "nist_800_53": ["AU.14"], "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "exec_start: bash ", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "nginx_container", "maintainer": "NGINX Docker Maintainers ", "execID": "69819869eefb3795e2015b603a2f85d6f5f556e5776428b5360fc9dfe5bfce47"}, "ID": "ff2d3b3018f1a5d97655666b7754c222a76034d536ef1de451a02fb524579c77"}, "timeNano": "1587404196804128000.000000", "from": "nginx", "time": "1587404196", "status": "exec_start: bash "}}, "location": ""} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"level": 3, "description": "Docker: Image or repository wazuh/wazuh pulled", "id": "87932", "firedtimes": 1, "mail": false, "groups": ["docker"], "pci_dss": ["10.2.7"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"status": "pull", "id": "wazuh/wazuh:3.9.2_7.1.1", "Type": "image", "Action": "pull", "Actor": {"ID": "wazuh/wazuh:3.9.2_7.1.1", "Attributes": {"name": "wazuh/wazuh"}}, "scope": "local", "time": "1563354346", "timeNano": "1563354346181027328.000000"}}, "location": ""} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"level": 3, "description": "Docker: Image or repository wazuh/wazuh-elasticsearch pulled", "id": "87932", "firedtimes": 2, "mail": false, "groups": ["docker"], "pci_dss": ["10.2.7"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"status": "pull", "id": "wazuh/wazuh-elasticsearch:3.9.2_7.1.1", "Type": "image", "Action": "pull", "Actor": {"ID": "wazuh/wazuh-elasticsearch:3.9.2_7.1.1", "Attributes": {"license": "Elastic License", "name": "wazuh/wazuh-elasticsearch", "org": {"label-schema": {"build-date": "20190305", "license": "GPLv2", "name": "elasticsearch", "schema-version": "1.0", "url": "https://www.elastic.co/products/elasticsearch", "vcs-url": "https://github.com/elastic/elasticsearch", "vendor": "Elastic", "version": "7.1.1"}}}}, "scope": "local", "time": "1563354404", "timeNano": "1563354404067201536.000000"}}, "location": ""} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"level": 3, "description": "Docker: Image or repository wazuh/wazuh-kibana pulled", "id": "87932", "firedtimes": 3, "mail": false, "groups": ["docker"], "pci_dss": ["10.2.7"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"status": "pull", "id": "wazuh/wazuh-kibana:3.9.2_7.1.1", "Type": "image", "Action": "pull", "Actor": {"ID": "wazuh/wazuh-kibana:3.9.2_7.1.1", "Attributes": {"license": "Elastic License", "name": "wazuh/wazuh-kibana", "org": {"label-schema": {"build-date": "20190305", "license": "GPLv2", "name": "kibana", "schema-version": "1.0", "url": "https://www.elastic.co/products/kibana", "vcs-url": "https://github.com/elastic/kibana", "vendor": "Elastic", "version": "7.1.1"}}}}, "scope": "local", "time": "1563354404", "timeNano": "1563354404067201536.000000"}}, "location": ""} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"level": 3, "description": "Docker: Image or repository wazuh/wazuh-nginx pulled", "id": "87932", "firedtimes": 3, "mail": false, "groups": ["docker"], "pci_dss": ["10.2.7"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"status": "pull", "id": "wazuh/wazuh-nginx:3.9.2_7.1.1", "Type": "image", "Action": "pull", "Actor": {"ID": "wazuh/wazuh-nginx:3.9.2_7.1.1", "Attributes": {"maintainer": "NGINX Docker Maintainers ", "name": "wazuh/wazuh-nginx"}}}, "scope": "local", "time": "1563354404", "timeNano": "1563354404067201536.000000"}, "location": ""} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"level": 3, "description": "Docker: Network vagrant_default created", "id": "87930", "firedtimes": 1, "mail": false, "pci_dss": ["10.2.7"], "groups": ["docker"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Type": "network", "Action": "create", "Actor": {"ID": "80f3e2aad6cb19bcc14751551f4ea20037e41c07491a6cf4ccf093b978a8955c", "Attributes": {"name": "vagrant_default", "type": "bridge"}}, "scope": "local", "time": "1563354307", "timeNano": "1563354307459382528.000000"}}, "location": ""} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "India", "location": {"lat": 19.0728302, "lon": 72.8826065}, "region_name": "Bombay", "city_name": "Bombay"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "India", "location": {"lat": 19.0728302, "lon": 72.8826065}, "region_name": "Bombay", "city_name": "Bombay"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "United States of America", "location": {"lat": 40.7142715, "lon": -74.0059662}, "region_name": "New York", "city_name": "New York"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Australia", "location": {"lat": -33.8678513, "lon": 151.2073212}, "region_name": "Sydney", "city_name": "Sydney"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "France", "location": {"lat": 48.8534088, "lon": 2.3487999}, "region_name": "Paris", "city_name": "Paris"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Canada", "location": {"lat": 49.2496605, "lon": -123.119339}, "region_name": "Vancouver", "city_name": "Vancouver"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 12}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Brasil", "location": {"lat": -22.9064198, "lon": -43.1822319}, "region_name": "R\u00edo de Janeiro", "city_name": "R\u00edo de Janeiro"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Brasil", "location": {"lat": -22.9064198, "lon": -43.1822319}, "region_name": "R\u00edo de Janeiro", "city_name": "R\u00edo de Janeiro"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"integration": "aws", "aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2020-04-22T11:17:08Z", "instanceId": "i-0b0b8b34a48c8f1c4", "networkInterfaces": {"networkInterfaceId": "eni-01e777fb9acd548e4", "subnetId": "subnet-7930da22", "vpcId": "vpc-68e3c60f", "privateDnsName": "ip-10-0-2-2.ec2.internal", "publicIp": "40.220.125.204", "publicDnsName": "ec2-40.220.125.204.compute-1.amazonaws.com", "privateIpAddress": "10.0.2.2"}, "instanceState": "running", "imageId": "ami-0ff8a91507f77f900", "instanceType": "t2.small", "imageDescription": "Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2", "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOCBIG", "arn": "arn:aws:iam::186154171780:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1a"}}, "description": "EC2 instance i-0b0b8b34a48c8f1c4 is communicating with a remote host on an unusual server port 5060.", "source": "guardduty", "type": "Behavior:EC2/NetworkPortUnusual", "title": "Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.", "accountId": "18773455640", "createdAt": "2024-07-01T05:44:59.824Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "ACTOR", "detectorId": "cab38390b728c06fb2897dfcebffc80d", "eventFirstSeen": "2024-07-01T05:44:59.824Z", "eventLastSeen": "2024-07-04T05:44:59.824Z", "additionalInfo": {"localPort": "2222", "outBytes": "2524", "inBytes": "7187", "unusual": "1323"}, "count": "3251", "action": {"actionType": "NETWORK_CONNECTION", "networkConnectionAction": {"localIpDetails": {"ipAddressV4": "10.0.2.2"}, "protocol": "TCP", "blocked": "false", "connectionDirection": "OUTBOUND", "localPortDetails": {"port": "36220", "portName": "Unknown"}, "remotePortDetails": {"port": "5050", "portName": "Unknown"}, "remoteIpDetails": {"country": {"countryName": "Italy"}, "city": {"cityName": "Palermo"}, "geoLocation": {"lon": "13.334100", "lat": "38.129000"}, "organization": {"asnOrg": "Net Connections", "org": "Net Connections", "isp": "Net Connections", "asn": "1547"}, "ipAddressV4": "75.0.101.245"}}}, "serviceName": "guardduty"}, "id": "06b8d0602d109db1282f9143809f80b8", "region": "ap-east-1", "arn": "arn:aws:guardduty:ap-northeast-3:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8", "updatedAt": "2020-04-22T07:18:12.778Z", "log_info": {"s3bucket": "aws-sample-bucket-3", "log_file": "guardduty/2024/07/04/05/firehose_guardduty-1-2024-07-04-05-44-59-824b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Spain", "location": {"lat": 37.1881714, "lon": -3.6066699}, "region_name": "Andaluc\u00eda", "city_name": "Granada"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"integration": "aws", "aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2020-04-22T11:17:08Z", "instanceId": "i-0b0b8b34a48c8f1c4", "networkInterfaces": {"networkInterfaceId": "eni-01e777fb9acd548e4", "subnetId": "subnet-7930da22", "vpcId": "vpc-68e3c60f", "privateDnsName": "ip-10-0-2-2.ec2.internal", "publicIp": "40.220.125.204", "publicDnsName": "ec2-40.220.125.204.compute-1.amazonaws.com", "privateIpAddress": "10.0.2.2"}, "instanceState": "running", "imageId": "ami-0ff8a91507f77f900", "instanceType": "t2.small", "imageDescription": "Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2", "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOCBIG", "arn": "arn:aws:iam::186154171780:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1a"}}, "description": "EC2 instance i-0b0b8b34a48c8f1c4 is communicating with a remote host on an unusual server port 5060.", "source": "guardduty", "type": "Behavior:EC2/NetworkPortUnusual", "title": "Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.", "accountId": "18773455640", "createdAt": "2024-07-01T05:44:59.824Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "ACTOR", "detectorId": "cab38390b728c06fb2897dfcebffc80d", "eventFirstSeen": "2024-07-01T05:44:59.824Z", "eventLastSeen": "2024-07-04T05:44:59.824Z", "additionalInfo": {"localPort": "2222", "outBytes": "2524", "inBytes": "7187", "unusual": "1323"}, "count": "3251", "action": {"actionType": "NETWORK_CONNECTION", "networkConnectionAction": {"localIpDetails": {"ipAddressV4": "10.0.2.2"}, "protocol": "TCP", "blocked": "false", "connectionDirection": "OUTBOUND", "localPortDetails": {"port": "36220", "portName": "Unknown"}, "remotePortDetails": {"port": "5050", "portName": "Unknown"}, "remoteIpDetails": {"country": {"countryName": "Italy"}, "city": {"cityName": "Palermo"}, "geoLocation": {"lon": "13.334100", "lat": "38.129000"}, "organization": {"asnOrg": "Net Connections", "org": "Net Connections", "isp": "Net Connections", "asn": "1547"}, "ipAddressV4": "75.0.101.245"}}}, "serviceName": "guardduty"}, "id": "06b8d0602d109db1282f9143809f80b8", "region": "ap-east-1", "arn": "arn:aws:guardduty:ap-northeast-3:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8", "updatedAt": "2020-04-22T07:18:12.778Z", "log_info": {"s3bucket": "aws-sample-bucket-3", "log_file": "guardduty/2024/07/04/05/firehose_guardduty-1-2024-07-04-05-44-59-824b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Germany", "location": {"lat": 52.524, "lon": 13.411}, "region_name": "Berlin", "city_name": "Berlin"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": true, "level": 12, "description": "AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts", "groups": ["amazon", "aws", "aws_macie"], "id": "80355", "firedtimes": 10}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "CRITICAL", "actor": "resources.wazuh.sample.com", "summary": {"Timestamps": "2024-06-27T08:55:29.145Z", "Description": "S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts", "Bucket": "resources.wazuh.sample.com,", "Record Count": "1", "Event Count": "1", "recipientAccountId": "166157441400", "ACL": {"resources": {"wazuh": {"com": {"Owner": {"DisplayName": "wazuh", "ID": "3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}}, "risk-score": "9", "notification-type": "ALERT_CREATED", "name": "S3 Bucket IAM policy grants global read rights", "created-at": "2024-06-27T08:55:29.145Z", "source": "macie", "url": "https://mt.eu-west-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aeu-west-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded", "tags": {"value": "Open Permissions,Basic Alert,"}, "alert-arn": "arn:aws:macie:eu-west-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed", "region": "ap-southeast-1", "log_info": {"s3bucket": "aws-sample-bucket-9", "log_file": "macie/2024/06/30/08/firehose_macie-1-2024-06-30-08-55-29-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2024-06-30-08-55-29-145b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Canada", "location": {"lat": 49.2496605, "lon": -123.119339}, "region_name": "Vancouver", "city_name": "Vancouver"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0050-ms-exchange_rules.xml", "relative_dirname": "ruleset/rules", "id": 3852, "level": 9, "status": "enabled", "details": {"frequency": "14", "timeframe": "120", "ignore": "240", "if_matched_sid": "3802", "same_source_ip": ""}, "pci_dss": ["10.6.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "ms", "exchange"], "description": "ms-exchange: Multiple e-mail 500 error code (spam)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3306, "level": 6, "status": "enabled", "details": {"if_sid": "3301, 3302", "match": " blocked using "}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: IP Address black-listed by anti-spam (blocked)."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0075-cisco-ios_rules.xml", "relative_dirname": "ruleset/rules", "id": 4722, "level": 3, "status": "enabled", "details": {"if_sid": "4715", "id": "^%SEC_LOGIN-5-LOGIN_SUCCESS"}, "pci_dss": ["10.2.5"], "gpg13": ["3.6"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "cisco_ios"], "description": "Cisco IOS: Successful login to the router."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0080-sonicwall_rules.xml", "relative_dirname": "ruleset/rules", "id": 4851, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "ignore": "60", "if_matched_sid": "4803"}, "pci_dss": ["10.6.1"], "gpg13": ["3.5"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["service_availability", "syslog", "sonicwall"], "description": "SonicWall: Multiple firewall error messages."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4386, "level": 10, "status": "enabled", "details": {"frequency": "10", "timeframe": "240", "if_matched_sid": "4334", "same_source_ip": ""}, "pci_dss": ["11.4", "10.2.4", "10.2.5"], "gpg13": ["7.1"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["SI.4", "AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access", "Initial Access"], "id": ["T1110", "T1133"], "technique": ["Brute Force", "External Remote Services"]}, "groups": ["authentication_failures", "syslog", "pix"], "description": "PIX: Multiple AAA (VPN) authentication failures."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3353, "level": 10, "status": "enabled", "details": {"frequency": "$POSTFIX_FREQ", "timeframe": "120", "if_matched_sid": "3303", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "postfix"], "description": "Postfix: Multiple attempts to send e-mail from invalid/unknown sender domain."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0045-mailscanner_rules.xml", "relative_dirname": "ruleset/rules", "id": 3751, "level": 6, "status": "enabled", "details": {"frequency": "8", "timeframe": "180", "if_matched_sid": "3702", "same_source_ip": ""}, "pci_dss": ["10.6.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access", "Collection"], "id": ["T1110", "T1114"], "technique": ["Brute Force", "Email Collection"]}, "groups": ["multiple_spam", "syslog", "mailscanner"], "description": "mailscanner: Multiple attempts of spam."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3151, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "if_matched_sid": "3102", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Sender domain has bogus MX record. It should not be sending e-mail."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3158, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "if_matched_sid": "3108", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Multiple pre-greetings rejects."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0095-sshd_rules.xml", "relative_dirname": "ruleset/rules", "id": 5703, "level": 10, "status": "enabled", "details": {"frequency": "6", "timeframe": "360", "if_matched_sid": "5702", "same_source_ip": ""}, "pci_dss": ["11.4"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["syslog", "sshd"], "description": "sshd: Possible breakin attempt (high number of reverse lookup errors)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0070-netscreenfw_rules.xml", "relative_dirname": "ruleset/rules", "id": 4507, "level": 8, "status": "enabled", "details": {"if_sid": "4502", "id": "^00515"}, "pci_dss": ["10.2.5", "10.2.2"], "gpg13": ["7.8"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "AC.6"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "netscreenfw"], "description": "Netscreen firewall: Successfull admin login"}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5302, "level": 9, "status": "enabled", "details": {"if_sid": "5301", "user": "^root"}, "pci_dss": ["10.2.4", "10.2.5"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["authentication_failed", "syslog", "su"], "description": "User missed the password to change UID to root."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0070-netscreenfw_rules.xml", "relative_dirname": "ruleset/rules", "id": 4550, "level": 10, "status": "enabled", "details": {"frequency": "6", "timeframe": "180", "ignore": "60", "if_matched_sid": "4503", "same_source_ip": ""}, "pci_dss": ["1.4", "10.6.1", "11.4"], "gpg13": ["4.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.a.1", "164.312.b"], "nist_800_53": ["SC.7", "AU.6", "SI.4"], "tsc": ["CC6.7", "CC6.8", "CC7.2", "CC7.3", "CC6.1"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["netscreenfw"], "description": "Netscreen firewall: Multiple critical messages from same source IP."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0070-netscreenfw_rules.xml", "relative_dirname": "ruleset/rules", "id": 4551, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "180", "ignore": "60", "if_matched_sid": "4503"}, "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["netscreenfw"], "description": "Netscreen firewall: Multiple critical messages."}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0040-imapd_rules.xml", "relative_dirname": "ruleset/rules", "id": 3602, "level": 3, "status": "enabled", "details": {"if_sid": "3600", "match": "Authenticated user="}, "pci_dss": ["10.2.5"], "gpg13": ["7.1"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "imapd"], "description": "Imapd user login."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2960, "level": 2, "status": "enabled", "details": {"decoded_as": "gpasswd", "match": "added by"}, "gpg13": ["7.9", "4.13"], "gdpr": ["IV_32.2"], "mitre": {"tactic": ["Persistence"], "id": ["T1136"], "technique": ["Create Account"]}, "groups": ["syslog", "yum"], "description": "User added to group."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5403, "level": 4, "status": "enabled", "details": {"if_sid": "5400", "if_fts": ""}, "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "sudo"], "description": "First time user executed sudo."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5402, "level": 3, "status": "enabled", "details": {"if_sid": "5400", "regex": " ; USER=root ; COMMAND=| ; USER=root ; TSID=S+ ; COMMAND="}, "pci_dss": ["10.2.5", "10.2.2"], "gpg13": ["7.6", "7.8", "7.13"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "AC.6"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "sudo"], "description": "Successful sudo to ROOT executed."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3105, "level": 5, "status": "enabled", "details": {"if_sid": "3101", "match": "reject=553 5.1.8 "}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "sendmail"], "description": "sendmail: Sender domain is not found (553: Requested action not taken)."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3153, "level": 6, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "if_matched_sid": "3104", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Multiple relaying attempts of spam."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3108, "level": 6, "status": "enabled", "details": {"if_sid": "3100", "match": "rejecting commands from"}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "sendmail"], "description": "sendmail: Sendmail rejected due to pre-greeting."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0090-telnetd_rules.xml", "relative_dirname": "ruleset/rules", "id": 5601, "level": 5, "status": "enabled", "details": {"if_sid": "5600", "match": "refused connect from "}, "gdpr": ["IV_35.7.d"], "mitre": {"tactic": ["Command and Control"], "id": ["T1095"], "technique": ["Standard Non-Application Layer Protocol"]}, "groups": ["syslog", "telnetd"], "description": "telnetd: Connection refused by TCP Wrappers."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3398, "level": 6, "status": "enabled", "details": {"if_sid": "3395", "match": "MAIL|does not resolve to address"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: Illegal address from unknown sender"}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3302, "level": 6, "status": "enabled", "details": {"if_sid": "3300", "id": "^550$"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: Rejected by access list (Requested action not taken)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5404, "level": 10, "status": "enabled", "details": {"if_sid": "5401", "match": "3 incorrect password attempts"}, "pci_dss": ["10.2.4", "10.2.5"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "sudo"], "description": "Three failed attempts to run sudo"}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2502, "level": 10, "status": "enabled", "details": {"match": "more authentication failures;|REPEATED login failures"}, "pci_dss": ["10.2.4", "10.2.5"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["authentication_failed", "syslog", "access_control"], "description": "syslog: User missed the password more than one time"}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5103, "level": 9, "status": "enabled", "details": {"if_sid": "5100", "match": "Oversized packet received from"}, "gdpr": ["IV_35.7.d"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["syslog", "linuxkernel"], "description": "Error message from the kernel. Ping of death attack."}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3191, "level": 6, "status": "enabled", "details": {"if_sid": "3190", "match": "^sender check failed|^sender check tempfailed"}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["smf-sav", "spam", "syslog", "sendmail"], "description": "sendmail: SMF-SAV sendmail milter unable to verify address (REJECTED)."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5401, "level": 5, "status": "enabled", "details": {"if_sid": "5400", "match": "incorrect password attempt"}, "pci_dss": ["10.2.4", "10.2.5"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "sudo"], "description": "Failed attempt to run sudo."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3354, "level": 12, "status": "enabled", "details": {"frequency": "$POSTFIX_FREQ", "timeframe": "120", "if_matched_sid": "3304", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["multiple_spam", "syslog", "postfix"], "description": "Postfix: Multiple misuse of SMTP service (bad sequence of commands)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4342, "level": 8, "status": "enabled", "details": {"if_sid": "4314", "id": "^5-502101|^5-502102"}, "pci_dss": ["8.1.2", "10.2.5"], "gpg13": ["4.13"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.a.2.I", "164.312.a.2.II", "164.312.b"], "nist_800_53": ["AC.2", "IA.4", "AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Defense Evasion", "Initial Access"], "id": ["T1089", "T1133"], "technique": ["Disabling Security Tools", "External Remote Services"]}, "groups": ["adduser", "account_changed", "syslog", "pix"], "description": "PIX: User created or modified on the Firewall."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3102, "level": 5, "status": "enabled", "details": {"if_sid": "3101", "match": "reject=451 4.1.8 "}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "sendmail"], "description": "sendmail: Sender domain does not have any valid MX record (Requested action aborted)."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3154, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "if_matched_sid": "3105", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Multiple attempts to send e-mail from invalid/unknown sender domain."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0085-pam_rules.xml", "relative_dirname": "ruleset/rules", "id": 5501, "level": 3, "status": "enabled", "details": {"if_sid": "5500", "match": "session opened for user "}, "pci_dss": ["10.2.5"], "gpg13": ["7.8", "7.9"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "pam", "syslog"], "description": "PAM: Login session opened."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3304, "level": 5, "status": "enabled", "details": {"if_sid": "3300", "id": "^503$"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: Improper use of SMTP command pipelining (503: Bad sequence of commands)."}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3152, "level": 6, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "if_matched_sid": "3103", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Multiple attempts to send e-mail from a previously rejected sender (access)."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3303, "level": 5, "status": "enabled", "details": {"if_sid": "3300", "id": "^450$"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: Sender domain is not found (450: Requested mail action not taken)."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4340, "level": 8, "status": "enabled", "details": {"if_sid": "4314", "id": "^5-111005|^5-111004|^5-111002|^5-111007"}, "pci_dss": ["1.1.1", "10.4"], "gpg13": ["4.13"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.a.1", "164.312.b"], "nist_800_53": ["CM.3", "CM.5", "AU.8"], "tsc": ["CC8.1", "CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Defense Evasion"], "id": ["T1089"], "technique": ["Disabling Security Tools"]}, "groups": ["config_changed", "syslog", "pix"], "description": "PIX: Firewall configuration changed."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3396, "level": 6, "status": "enabled", "details": {"if_sid": "3395", "match": "verification"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: hostname verification failed"}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4335, "level": 3, "status": "enabled", "details": {"if_sid": "4314", "id": "^6-113004"}, "pci_dss": ["10.2.5"], "gpg13": ["7.1", "7.2"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "pix"], "description": "PIX: AAA (VPN) authentication successful."}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2833, "level": 8, "status": "enabled", "details": {"if_sid": "2832", "match": "^(root)"}, "pci_dss": ["10.2.7", "10.6.1", "10.2.2"], "gpg13": ["4.13"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AU.6", "AC.6"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "cron"], "description": "Root's crontab entry changed."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3103, "level": 6, "status": "enabled", "details": {"if_sid": "3101", "match": "reject=550 5.0.0 |reject=553 5.3.0"}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "sendmail"], "description": "sendmail: Rejected by access list (55x: Requested action not taken)."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2961, "level": 5, "status": "enabled", "details": {"if_sid": "2960", "group": "sudo"}, "gpg13": ["7.9", "4.13"], "gdpr": ["IV_32.2"], "mitre": {"tactic": ["Persistence"], "id": ["T1136"], "technique": ["Create Account"]}, "groups": ["syslog", "yum"], "description": "User added to group sudo."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3351, "level": 6, "status": "enabled", "details": {"frequency": "$POSTFIX_FREQ", "timeframe": "90", "if_matched_sid": "3301", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "postfix"], "description": "Postfix: Multiple relaying attempts of spam."}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5304, "level": 3, "status": "enabled", "details": {"if_sid": "5300", "regex": ["session opened for user|succeeded for|", "^+|^S+ to |^SU S+ S+ + "]}, "pci_dss": ["10.2.5"], "gpg13": ["7.6", "7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "su"], "description": "User successfully changed UID."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0050-ms-exchange_rules.xml", "relative_dirname": "ruleset/rules", "id": 3851, "level": 9, "status": "enabled", "details": {"frequency": "12", "timeframe": "120", "ignore": "120", "if_matched_sid": "3801", "same_source_ip": ""}, "pci_dss": ["10.6.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "ms", "exchange"], "description": "ms-exchange: Multiple e-mail attempts to an invalid account."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5132, "level": 11, "status": "enabled", "details": {"if_sid": "5100", "match": "module verification failed"}, "mitre": {"tactic": ["Persistence"], "id": ["T1215"], "technique": ["Kernel Modules and Extensions"]}, "groups": ["syslog", "linuxkernel"], "description": "Unsigned kernel module was loaded"}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0090-telnetd_rules.xml", "relative_dirname": "ruleset/rules", "id": 5631, "level": 10, "status": "enabled", "details": {"frequency": "6", "timeframe": "120", "if_matched_sid": "5602", "same_source_ip": ""}, "gdpr": ["IV_35.7.d", "IV_32.2"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["syslog", "telnetd"], "description": "telnetd: Multiple connection attempts from same source (possible scan)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4339, "level": 8, "status": "enabled", "details": {"if_sid": "4314", "id": "^5-111003"}, "pci_dss": ["1.1.1", "10.4"], "gpg13": ["4.13"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.a.1", "164.312.b"], "nist_800_53": ["CM.3", "CM.5", "AU.8"], "tsc": ["CC8.1", "CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Defense Evasion"], "id": ["T1089"], "technique": ["Disabling Security Tools"]}, "groups": ["config_changed", "syslog", "pix"], "description": "PIX: Firewall configuration deleted."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0095-sshd_rules.xml", "relative_dirname": "ruleset/rules", "id": 5701, "level": 8, "status": "enabled", "details": {"if_sid": "5700", "match": "Bad protocol version identification"}, "pci_dss": ["11.4"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1190"], "technique": ["Exploit Public-Facing Application"]}, "groups": ["recon", "syslog", "sshd"], "description": "sshd: Possible attack on the ssh server (or version gathering)."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0040-imapd_rules.xml", "relative_dirname": "ruleset/rules", "id": 3651, "level": 10, "status": "enabled", "details": {"frequency": "$IMAPD_FREQ", "timeframe": "120", "if_matched_sid": "3601", "same_source_ip": ""}, "pci_dss": ["10.2.4", "10.2.5", "11.4"], "gpg13": ["7.1"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["authentication_failures", "syslog", "imapd"], "description": "Imapd Multiple failed logins from same source ip."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5407, "level": 3, "status": "enabled", "details": {"if_sid": "5400", "regex": " ; USER=S+ ; COMMAND=| ; USER=S+ ; TSID=S+ ; COMMAND="}, "pci_dss": ["10.2.5", "10.2.2"], "gpg13": ["7.6", "7.8", "7.13"], "gdpr": ["IV_32.2"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "sudo"], "description": "Successful sudo executed."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3155, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "if_matched_sid": "3106", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Multiple attempts to send e-mail from invalid/unknown sender."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3156, "level": 10, "status": "enabled", "details": {"frequency": "12", "timeframe": "120", "if_matched_sid": "3107", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Multiple rejected e-mails from same source ip."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0055-courier_rules.xml", "relative_dirname": "ruleset/rules", "id": 3911, "level": 10, "status": "enabled", "details": {"frequency": "17", "timeframe": "30", "if_matched_sid": "3901", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["recon", "syslog", "courier"], "description": "Courier: Multiple connection attempts from same source."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 1003, "level": 13, "status": "enabled", "details": {"maxsize": "1025", "noalert": "1"}, "gpg13": ["4.3"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["syslog", "errors"], "description": "Non standard syslog message (size too large)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0080-sonicwall_rules.xml", "relative_dirname": "ruleset/rules", "id": 4810, "level": 3, "status": "enabled", "details": {"if_sid": "4806", "id": "^236$"}, "pci_dss": ["10.2.5"], "gpg13": ["3.6"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "sonicwall"], "description": "SonicWall: Firewall administrator login."}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0070-netscreenfw_rules.xml", "relative_dirname": "ruleset/rules", "id": 4509, "level": 8, "status": "enabled", "details": {"if_sid": "4504", "id": "^00767"}, "pci_dss": ["1.1.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.a.1"], "nist_800_53": ["CM.3", "CM.5"], "tsc": ["CC8.1"], "mitre": {"tactic": ["Defense Evasion"], "id": ["T1089"], "technique": ["Disabling Security Tools"]}, "groups": ["config_changed", "netscreenfw"], "description": "Netscreen firewall: configuration changed."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2503, "level": 5, "status": "enabled", "details": {"regex": ["^refused connect from|", "^libwrap refused connection|", "Connection from S+ denied"]}, "pci_dss": ["10.2.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Command and Control"], "id": ["T1095"], "technique": ["Standard Non-Application Layer Protocol"]}, "groups": ["access_denied", "syslog", "access_control"], "description": "syslog: Connection blocked by Tcp Wrappers."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3352, "level": 6, "status": "enabled", "details": {"frequency": "$POSTFIX_FREQ", "timeframe": "120", "if_matched_sid": "3302", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "postfix"], "description": "Postfix: Multiple attempts to send e-mail from a rejected sender IP (access)."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0095-sshd_rules.xml", "relative_dirname": "ruleset/rules", "id": 5706, "level": 6, "status": "enabled", "details": {"if_sid": "5700", "match": "Did not receive identification string from"}, "pci_dss": ["11.4"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Command and Control"], "id": ["T1043"], "technique": ["Commonly Used Port"]}, "groups": ["recon", "syslog", "sshd"], "description": "sshd: insecure connection attempt (scan)."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5303, "level": 3, "status": "enabled", "details": {"if_sid": "5300", "regex": ["session opened for user root|^'su root'|", "^+ S+ S+proot$|^S+ to root on|^SU S+ S+ + S+ S+-root$"]}, "pci_dss": ["10.2.5"], "gpg13": ["7.6", "7.8", "7.9"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "su"], "description": "User successfully changed UID to root."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4323, "level": 3, "status": "enabled", "details": {"if_sid": "4314", "id": "^6-605005"}, "pci_dss": ["10.2.5"], "gpg13": ["7.8"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "pix"], "description": "PIX: Successful login."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2504, "level": 9, "status": "enabled", "details": {"match": "ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED"}, "pci_dss": ["10.2.4", "10.2.5", "10.2.2"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "AC.6"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["invalid_login", "syslog", "access_control"], "description": "syslog: Illegal root login."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5113, "level": 7, "status": "enabled", "details": {"if_sid": "5100", "match": "Kernel log daemon terminating"}, "pci_dss": ["10.6.1"], "gpg13": ["4.14"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1529"], "technique": ["System Shutdown/Reboot"]}, "groups": ["system_shutdown", "syslog", "linuxkernel"], "description": "System is shutting down."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2301, "level": 10, "status": "enabled", "details": {"match": "^Deactivating service "}, "pci_dss": ["10.6.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["syslog", "xinetd"], "description": "xinetd: Excessive number connections to a service."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3301, "level": 6, "status": "enabled", "details": {"if_sid": "3300", "id": "^554$"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: Attempt to use mail server as relay (client host rejected)."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5405, "level": 5, "status": "enabled", "details": {"if_sid": "5400", "match": "user NOT in sudoers"}, "pci_dss": ["10.2.2", "10.2.5"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.6", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "sudo"], "description": "Unauthorized user attempted to use sudo."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0070-netscreenfw_rules.xml", "relative_dirname": "ruleset/rules", "id": 4505, "level": 11, "status": "enabled", "details": {"if_sid": "4503", "id": "^00027"}, "pci_dss": ["1.4", "10.6.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.a.1", "164.312.b"], "nist_800_53": ["SC.7", "AU.6"], "tsc": ["CC6.7", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1485"], "technique": ["Data Destruction"]}, "groups": ["service_availability", "netscreenfw"], "description": "Netscreen Erase sequence started."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0095-sshd_rules.xml", "relative_dirname": "ruleset/rules", "id": 5705, "level": 10, "status": "enabled", "details": {"frequency": "6", "timeframe": "360", "if_matched_sid": "5704"}, "pci_dss": ["11.4"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access", "Credential Access"], "id": ["T1190", "T1110"], "technique": ["Exploit Public-Facing Application", "Brute Force"]}, "groups": ["syslog", "sshd"], "description": "sshd: Possible scan or breakin attempt (high number of login timeouts)."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0055-courier_rules.xml", "relative_dirname": "ruleset/rules", "id": 3904, "level": 3, "status": "enabled", "details": {"if_sid": "3900", "match": "^LOGIN,"}, "pci_dss": ["10.2.5"], "gpg13": ["7.1", "7.2"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "courier"], "description": "Courier (imap/pop3) authentication success."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2964, "level": 10, "status": "enabled", "details": {"frequency": "4", "timeframe": "30", "if_matched_sid": "2963", "same_source_ip": ""}, "pci_dss": ["11.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["recon", "syslog", "perdition"], "description": "perdition: Multiple connection attempts from same source."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3330, "level": 10, "status": "enabled", "details": {"ignore": "240", "if_sid": "3320", "match": ["defer service failure|Resource temporarily unavailable|", "^fatal: the Postfix mail system is not running"]}, "pci_dss": ["10.6.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["service_availability", "syslog", "postfix"], "description": "Postfix process error."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3106, "level": 5, "status": "enabled", "details": {"if_sid": "3101", "match": "reject=553 5.5.4 "}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "sendmail"], "description": "sendmail: Sender address does not have domain (553: Requested action not taken)."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4337, "level": 8, "status": "enabled", "details": {"if_sid": "4312", "id": "^3-201008"}, "pci_dss": ["10.6.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1133"], "technique": ["External Remote Services"]}, "groups": ["service_availability", "syslog", "pix"], "description": "PIX: The PIX is disallowing new connections."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3104, "level": 6, "status": "enabled", "details": {"if_sid": "3101", "match": "reject=550 5.7.1 "}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "sendmail"], "description": "sendmail: Attempt to use mail server as relay (550: Requested action not taken)."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5108, "level": 12, "status": "enabled", "details": {"if_sid": "5100", "match": "Out of Memory: "}, "pci_dss": ["10.6.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["service_availability", "syslog", "linuxkernel"], "description": "System running out of memory. Availability of the system is in risk."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4336, "level": 8, "status": "enabled", "details": {"if_sid": "4314", "id": "^6-113006"}, "pci_dss": ["10.2.4", "10.2.5"], "gpg13": ["7.1", "7.5"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1133"], "technique": ["External Remote Services"]}, "groups": ["authentication_failed", "syslog", "pix"], "description": "PIX: AAA (VPN) user locked out."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3355, "level": 10, "status": "enabled", "details": {"frequency": "$POSTFIX_FREQ", "timeframe": "120", "if_matched_sid": "3305", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "postfix"], "description": "Postfix: Multiple attempts to send e-mail to invalid recipient or from unknown sender domain."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3397, "level": 6, "status": "enabled", "details": {"if_sid": "3395", "match": "RBL"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: RBL lookup error: Host or domain name not found"}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3305, "level": 5, "status": "enabled", "details": {"if_sid": "3300", "id": "^504$"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: Recipient address must contain FQDN (504: Command parameter not implemented)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3356, "level": 10, "status": "enabled", "details": {"frequency": "$POSTFIX_FREQ", "timeframe": "120", "ignore": "30", "if_matched_sid": "3306", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "postfix"], "description": "Postfix: Multiple attempts to send e-mail from black-listed IP address (blocked)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5133, "level": 11, "status": "enabled", "details": {"if_sid": "5100", "match": "PKCS#7 signature not signed with a trusted key"}, "mitre": {"tactic": ["Persistence"], "id": ["T1215"], "technique": ["Kernel Modules and Extensions"]}, "groups": ["syslog", "linuxkernel"], "description": "Signed but untrusted kernel module was loaded"}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3357, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "ignore": "60", "if_matched_sid": "3332", "same_source_ip": ""}, "pci_dss": ["10.2.4", "10.2.5", "11.4"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["authentication_failures", "syslog", "postfix"], "description": "Postfix: Multiple SASL authentication failures."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2551, "level": 10, "status": "enabled", "details": {"if_sid": "2550", "regex": "^Connection from S+ on illegal port$"}, "pci_dss": ["10.6.1"], "gpg13": ["7.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Discovery"], "id": ["T1046"], "technique": ["Network Service Scanning"]}, "groups": ["connection_attempt", "syslog", "access_control"], "description": "Connection to rshd from unprivileged port. Possible network scan."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0055-courier_rules.xml", "relative_dirname": "ruleset/rules", "id": 3910, "level": 10, "status": "enabled", "details": {"frequency": "12", "timeframe": "30", "if_matched_sid": "3902", "same_source_ip": ""}, "pci_dss": ["10.2.4", "10.2.5", "11.4"], "gpg13": ["7.1"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["authentication_failures", "syslog", "courier"], "description": "Courier brute force (multiple failed logins)."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4325, "level": 8, "status": "enabled", "details": {"if_sid": "4313", "id": "^4-405001"}, "pci_dss": ["10.6.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Command and Control"], "id": ["T1095"], "technique": ["Standard Non-Application Layer Protocol"]}, "groups": ["syslog", "pix"], "description": "PIX: ARP collision detected."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5104, "level": 8, "status": "enabled", "details": {"if_sid": "5100", "regex": ["Promiscuous mode enabled|", "device S+ entered promiscuous mode"]}, "pci_dss": ["10.6.1", "11.4"], "gpg13": ["4.13"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Discovery"], "id": ["T1040"], "technique": ["Network Sniffing"]}, "groups": ["promisc", "syslog", "linuxkernel"], "description": "Interface entered in promiscuous(sniffing) mode."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0085-pam_rules.xml", "relative_dirname": "ruleset/rules", "id": 5551, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "180", "if_matched_sid": "5503", "same_source_ip": ""}, "pci_dss": ["10.2.4", "10.2.5", "11.4"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["authentication_failures", "pam", "syslog"], "description": "PAM: Multiple failed logins in a small period of time."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3335, "level": 6, "status": "enabled", "details": {"if_sid": "3320", "match": "^too many "}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: too many errors after RCPT from unknown"}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} diff --git a/test-tools/.gitignore b/test-tools/.gitignore deleted file mode 100644 index 2fba045aa1ba5..0000000000000 --- a/test-tools/.gitignore +++ /dev/null @@ -1 +0,0 @@ -wazuh-certificates.tar \ No newline at end of file diff --git a/test-tools/README.md b/test-tools/README.md deleted file mode 100644 index cb9af1e4be6d8..0000000000000 --- a/test-tools/README.md +++ /dev/null @@ -1,45 +0,0 @@ -# Testing environment - -This is an environment definition with the required configuration to be prepared to freshly install a Wazuh Indexer -cluster with two nodes using Vagrant and Libvirt to provision the Virtual Machines. - -It also generates the node's required certificates using the `wazuh-certs-tool` and copy them to each node's `/home` -directory, leaving a copy in `test-tools/`. - -### Prerequisites - -1. Download and install Vagrant ([source](https://developer.hashicorp.com/vagrant/downloads)) -2. Install vagrant-libvirt ([source](https://vagrant-libvirt.github.io/vagrant-libvirt/installation.html)) - > In some cases you must also install `libvirt-dev` - -## Usage - -1. Navigate to the environment's root directory - ```bash - cd test-tools - ``` -2. Initialize the environment - ```bash - vagrant up - ``` -3. Connect to the different systems - ```bash - vagrant ssh indexer_[1|2] - ``` - -### Test scripts - -Some scripts are included to easily validate the correct basic functionality of a wazuh-indexer package, these are also being copied in the node's `/home/scripts` directory. More info at [scripts/README.md](scripts/README.md) - -### Cleanup - -After the testing session is complete you can stop or destroy the environment as you wish: - -- Stop the environment: - ```bash - vagrant halt - ``` -- Destroy the environment: - ```bash - vagrant destroy -f - ``` diff --git a/test-tools/Vagrantfile b/test-tools/Vagrantfile deleted file mode 100644 index b18aaa27177dc..0000000000000 --- a/test-tools/Vagrantfile +++ /dev/null @@ -1,54 +0,0 @@ -system(" - if [ #{ARGV[0]} = 'up' ]; then - echo 'Executing pre-start script.' - bash ./pre-start.sh - fi -") - -Vagrant.configure("2") do |config| - config.vm.define "indexer_1" do |indexer_1| - indexer_1.vm.box = "generic/alma9" - indexer_1.vm.synced_folder ".", "/vagrant" - indexer_1.vm.network "private_network", ip: "192.168.56.10" - indexer_1.vm.hostname = "node-1" - indexer_1.vm.provider "libvirt" do |vb| - vb.memory = "4096" - vb.cpus = "4" - end - indexer_1.vm.provision "shell", inline: <<-SHELL - systemctl stop firewalld - systemctl disable firewalld - yum clean all - yum install jq unzip tar -y - # Add node-2 to /etc/hosts - echo "192.168.56.11 node-2" >> /etc/hosts - # Copy generated certificates - cp /vagrant/wazuh-certificates.tar /home/vagrant/wazuh-certificates.tar - # Copy test scripts - cp -r /vagrant/scripts /home/vagrant/scripts - chown -R vagrant:vagrant /home/vagrant/scripts - SHELL - end - config.vm.define "indexer_2" do |indexer_2| - indexer_2.vm.box = "generic/ubuntu2204" - indexer_2.vm.synced_folder ".", "/vagrant" - indexer_2.vm.network "private_network", ip: "192.168.56.11" - indexer_2.vm.hostname = "node-2" - indexer_2.vm.provider "libvirt" do |vb| - vb.memory = "4096" - vb.cpus = "4" - end - indexer_2.vm.provision "shell", inline: <<-SHELL - systemctl stop ufw - systemctl disable ufw - apt-get install curl jq unzip tar -y - # Add node-1 to /etc/hosts - echo "192.168.56.10 node-1" >> /etc/hosts - # Copy generated certificates - cp /vagrant/wazuh-certificates.tar /home/vagrant/wazuh-certificates.tar - # Copy test scripts - cp -r /vagrant/scripts /home/vagrant/scripts - chown -R vagrant:vagrant /home/vagrant/scripts - SHELL - end -end diff --git a/test-tools/config.yml b/test-tools/config.yml deleted file mode 100644 index 904bf09631351..0000000000000 --- a/test-tools/config.yml +++ /dev/null @@ -1,7 +0,0 @@ -nodes: - # Wazuh indexer nodes - indexer: - - name: node-1 - ip: "192.168.56.10" - - name: node-2 - ip: "192.168.56.11" diff --git a/test-tools/pre-start.sh b/test-tools/pre-start.sh deleted file mode 100644 index e0e1d4b7ac251..0000000000000 --- a/test-tools/pre-start.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/bash - -# SPDX-License-Identifier: Apache-2.0 -# The OpenSearch Contributors require contributions made to -# this file be licensed under the Apache-2.0 license or a -# compatible open source license. - -# Download the Wazuh certs tool -curl -sO https://packages.wazuh.com/4.9/wazuh-certs-tool.sh - -# Make the script executable -chmod +x ./wazuh-certs-tool.sh - -# Run the Wazuh certs tool -OPENSSL_CONF="/etc/ssl/openssl.cnf" ./wazuh-certs-tool.sh -A - -# Create a tarball of the generated certificates -tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ . - -# Clean up -rm -rf ./wazuh-certificates wazuh-certs-tool.sh *.log - -echo "Setup complete and certificates archived." diff --git a/test-tools/scripts/00_run.sh b/test-tools/scripts/00_run.sh deleted file mode 100644 index 085cd85b9e86c..0000000000000 --- a/test-tools/scripts/00_run.sh +++ /dev/null @@ -1,88 +0,0 @@ -#!/bin/bash - -# Prompt the user for GitHub Token and artifact details securely -if [ -z "$GITHUB_TOKEN" ]; then - read -rsp 'Enter GitHub Token: ' GITHUB_TOKEN - echo "" -fi -export GITHUB_TOKEN - -if [ -z "$RUN_ID" ]; then - read -rp 'Enter Action Run ID: ' RUN_ID -fi -export RUN_ID - -if [ -z "$ARTIFACT_NAME" ]; then - read -rp 'Enter Artifact Name: ' ARTIFACT_NAME -fi -export ARTIFACT_NAME - -# Define environment variables with default values if not provided -read -rp "Enter current node name (default: 'node-1'): " NODE_NAME -export NODE_NAME=${NODE_NAME:-"node-1"} - -IP_ADDRESS=$(ip addr show eth1 2>/dev/null | grep 'inet ' | awk '{print $2}' | cut -d/ -f1) -if [ -z "$IP_ADDRESS" ]; then - IP_ADDRESS="127.0.0.1" -fi -read -rp "Enter IP of current node (default: '$IP_ADDRESS'): " NODE_IP -export NODE_IP=${NODE_IP:-$IP_ADDRESS} - -export CERTS_PATH=${CERTS_PATH:-"/home/vagrant/wazuh-certificates.tar"} - -# Optional variables for Node 2 -read -rp 'Enter secondary Node name (optional): ' NODE_2 -read -rp 'Enter IP of secondary Node (optional): ' IP_NODE_2 - -# Logging function with timestamps -log() { - echo "$(date +'%Y-%m-%d %H:%M:%S') - $1" -} - -# Function to run a command and check for errors -run_command() { - local cmd=$1 - log "Executing: $cmd" - if ! eval "$cmd"; then - log "Error executing: $cmd" - exit 1 - else - log "Successfully executed: $cmd" - fi -} - -# Main execution -log "Starting the script execution" - -run_command "bash 01_download_and_install_package.sh -id $RUN_ID -n $ARTIFACT_NAME" - -# Apply certificates -if [ -n "$NODE_2" ] && [ -n "$IP_NODE_2" ]; then - run_command "sudo bash 02_apply_certificates.sh -p $CERTS_PATH -n $NODE_NAME -nip $NODE_IP -s $NODE_2 -sip $IP_NODE_2" -else - run_command "sudo bash 02_apply_certificates.sh -p $CERTS_PATH -n $NODE_NAME -nip $NODE_IP" -fi - -# Start indexer service -run_command "sudo bash 03_manage_indexer_service.sh -a start" - -# Initialize cluster (assumes this step doesn't depend on Node 2 presence) -run_command "sudo bash 04_initialize_cluster.sh" -sleep 10 - -# Validate installed plugins -if [ -n "$NODE_2" ]; then - run_command "bash 05_validate_installed_plugins.sh -n $NODE_NAME -n $NODE_2" -else - run_command "bash 05_validate_installed_plugins.sh -n $NODE_NAME" -fi - -# Validate setup and command manager -run_command "bash 06_validate_setup.sh" -run_command "bash 07_validate_command_manager.sh" - -# Uninstall indexer -log "Running 08_uninstall_indexer.sh" -run_command "sudo bash 08_uninstall_indexer.sh" - -log "All tasks completed successfully." diff --git a/test-tools/scripts/01_download_and_install_package.sh b/test-tools/scripts/01_download_and_install_package.sh deleted file mode 100644 index b57f916ddefda..0000000000000 --- a/test-tools/scripts/01_download_and_install_package.sh +++ /dev/null @@ -1,173 +0,0 @@ -#!/bin/bash - -# SPDX-License-Identifier: Apache-2.0 -# The OpenSearch Contributors require contributions made to -# this file be licensed under the Apache-2.0 license or a -# compatible open source license. - -# Tool dependencies -DEPENDENCIES=(curl jq unzip) -# Default package revision -PKG_REVISION="0" -# Wazuh indexer repository -REPO="wazuh/wazuh-indexer" - -# Function to display usage help -usage() { - echo "Usage: $0 --run-id [-v ] [-r ] [-n ]" - echo - echo "Parameters:" - echo " -id, --run-id The GHA workflow execution ID." - echo " -v, --version (Optional) The version of the wazuh-indexer package." - echo " -r, --revision (Optional) The revision of the package. Defaults to '0' if not provided." - echo " -n, --name (Optional) The package name. If not provided, it will be configured based on version and revision." - echo - echo "Please ensure you have the GITHUB_TOKEN environment variable set to access the GitHub repository, and all the dependencies installed: " "${DEPENDENCIES[@]}" - exit 1 -} - -# Parse named parameters -while [[ "$#" -gt 0 ]]; do - case $1 in - --artifact-id|-id) RUN_ID="$2"; shift ;; - --version|-v) PKG_VERSION="$2"; shift ;; - --revision|-r) PKG_REVISION="$2"; shift ;; - --name|-n) PKG_NAME="$2"; shift ;; - -h|--help) usage ;; - *) echo "Unknown parameter passed: $1"; usage ;; - esac - shift -done - -# Validate all dependencies are installed -for dep in "${DEPENDENCIES[@]}" -do - if ! command -v "${dep}" &> /dev/null - then - echo "Error: Dependency '$dep' is not installed. Please install $dep and try again." >&2 - exit 1 - fi -done - -# Check if RUN_ID is provided -if [ -z "$RUN_ID" ]; then - echo "Error: RUN_ID is required." - usage -fi - -# Validate GITHUB_TOKEN environment variable -if [ -z "$GITHUB_TOKEN" ]; then - echo "Please ensure you have the GITHUB_TOKEN environment variable set to access the GitHub repository." - exit 1 -fi - -# Ensure either PKG_NAME or both PKG_VERSION and PKG_REVISION are provided -if [ -z "$PKG_NAME" ] && { [ -z "$PKG_VERSION" ] || [ -z "$PKG_REVISION" ]; }; then - echo "Error: Either a package name (--name) or both a version (--version) and revision (--revision) must be provided." - usage -fi - -# Detect OS and architecture -if [ -f /etc/os-release ]; then - . /etc/os-release - OS=$(echo "$NAME" | tr '[:upper:]' '[:lower:]') -else - echo "Unsupported OS." - exit 1 -fi - -# Determine package type if PKG_NAME is not provided -ARCH=$(uname -m) -case "$OS" in - *ubuntu* | *debian*) - PKG_FORMAT="deb" - if [ -z "$PKG_NAME" ]; then - [ "$ARCH" == "x86_64" ] && ARCH="amd64" - [ "$ARCH" == "aarch64" ] && ARCH="arm64" - PKG_NAME="wazuh-indexer_${PKG_VERSION}-${PKG_REVISION}_${ARCH}.${PKG_FORMAT}" - fi - ;; - *centos* | *fedora* | *rhel* | *"red hat"* | *alma*) - PKG_FORMAT="rpm" - if [ -z "$PKG_NAME" ]; then - PKG_NAME="wazuh-indexer-${PKG_VERSION}-${PKG_REVISION}.${ARCH}.${PKG_FORMAT}" - fi - ;; - *) - echo "Unsupported OS." - exit 1 - ;; -esac - -# Check if the package is already present -if [ -f "$PKG_NAME" ]; then - echo "Package $PKG_NAME found locally. Reusing existing package." -else - # Fetch the list of artifacts - echo "Fetching artifacts list..." - RUN_URL="https://api.github.com/repos/${REPO}/actions/artifacts" - RESPONSE=$(curl -s -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $GITHUB_TOKEN" -H "X-GitHub-Api-Version: 2022-11-28" "$RUN_URL?name=$PKG_NAME") - - # Check if the curl command was successful - if [ $? -ne 0 ]; then - echo "Error: Failed to fetch artifacts." - exit 1 - fi - - # Check if the artifact from the specified workflow run ID exists - echo "Checking ${PKG_NAME} package is generated for workflow run ${RUN_ID}" - ARTIFACT=$(echo "$RESPONSE" | jq -e ".artifacts[] | select(.workflow_run.id == $RUN_ID)") - - if [ -z "$ARTIFACT" ]; then - echo "Error: Wazuh indexer package not found." - exit 1 - fi - - ARTIFACT_ID=$(echo "$ARTIFACT" | jq -r '.id') - echo "Wazuh indexer artifact detected. Artifact ID: $ARTIFACT_ID" - - # Download the package - ARTIFACT_URL="https://api.github.com/repos/${REPO}/actions/artifacts/${ARTIFACT_ID}/zip" - echo "Downloading wazuh-indexer package from GitHub artifactory..." - echo "(It could take a couple of minutes)" - - if ! curl -L -H "Accept: application/vnd.github+json" \ - -H "Authorization: Bearer $GITHUB_TOKEN" \ - -H "X-GitHub-Api-Version: 2022-11-28" \ - "$ARTIFACT_URL" -o package.zip > /dev/null 2>&1; then - echo "Error downloading package." - exit 1 - fi - echo "Package downloaded successfully" - - # Unzip the package - echo "Decompressing wazuh-indexer package..." - unzip ./package.zip - rm package.zip - - # shellcheck disable=SC2181 - if [ $? -ne 0 ]; then - echo "Error unzipping package." - exit 1 - fi - echo "Package decompressed" -fi - -# Install the package -echo "Installing wazuh-indexer package..." -case "$PKG_FORMAT" in - "deb") - sudo dpkg -i "$PKG_NAME" > /dev/null 2>&1 - ;; - "rpm") - sudo rpm -i "$PKG_NAME" > /dev/null 2>&1 - ;; -esac - -# shellcheck disable=SC2181 -if [ $? -ne 0 ]; then - echo "Error installing package." - exit 1 -fi - -echo "Package installed successfully." diff --git a/test-tools/scripts/02_apply_certificates.sh b/test-tools/scripts/02_apply_certificates.sh deleted file mode 100644 index c754eebf4b10e..0000000000000 --- a/test-tools/scripts/02_apply_certificates.sh +++ /dev/null @@ -1,117 +0,0 @@ -#!/bin/bash - -# SPDX-License-Identifier: Apache-2.0 -# The OpenSearch Contributors require contributions made to -# this file be licensed under the Apache-2.0 license or a -# compatible open source license. - -# Tool dependencies -DEPENDENCIES=(tar) - -# Function to display usage help -usage() { - echo "Usage: $0 --path-to-certs --current-node [--second-node ] [--current-node-ip ] [--second-node-ip ]" - echo - echo "Parameters:" - echo " -p, --path-to-certs Path to the generated Wazuh certificates tar" - echo " -n, --current-node Name of the current node" - echo " -s, --second-node (Optional) Name of the second node" - echo " -nip, --current-node-ip (Optional) IP address of the current node. Default: CURRENT_NODE" - echo " -sip, --second-node-ip (Optional) IP address of the second node. Default: SECOND_NODE" - echo - echo "Please ensure you have all the dependencies installed: " "${DEPENDENCIES[@]}" - exit 1 -} - -# Parse named arguments -while [[ "$#" -gt 0 ]]; do - case $1 in - --path-to-certs|-p) PATH_TO_CERTS="$2"; shift ;; - --current-node|-n) CURRENT_NODE="$2"; shift ;; - --second-node|-s) SECOND_NODE="$2"; shift ;; - --current-node-ip|-nip) CURRENT_NODE_IP="$2"; shift ;; - --second-node-ip|-sip) SECOND_NODE_IP="$2"; shift ;; - -h|--help) usage ;; - *) echo "Unknown parameter passed: $1"; usage ;; - esac - shift -done - -# Validate all dependencies are installed -for dep in "${DEPENDENCIES[@]}" -do - if ! command -v ${dep} &> /dev/null - then - echo "Error: Dependency '$dep' is not installed. Please install $dep and try again." >&2 - exit 1 - fi -done - -# Validate mandatory arguments -if [ -z "$PATH_TO_CERTS" ] || [ -z "$CURRENT_NODE" ]; then - echo "Error: Missing mandatory parameter." - usage -fi - -# Set default values if optional arguments are not provided -CURRENT_NODE_IP=${CURRENT_NODE_IP:-$CURRENT_NODE} -SECOND_NODE_IP=${SECOND_NODE_IP:-$SECOND_NODE} -CONFIG_FILE="/etc/wazuh-indexer/opensearch.yml" -BACKUP_FILE="./opensearch.yml.bak" - -# Backup the original config file -echo "Creating a backup of the original config file..." -cp $CONFIG_FILE $BACKUP_FILE - -# Replace values in the config file -echo "Updating configuration..." -sed -i "s/node\.name: \"node-1\"/node.name: \"${CURRENT_NODE}\"/" $CONFIG_FILE - -if [ -n "$SECOND_NODE" ]; then - sed -i "s/#discovery\.seed_hosts:/discovery.seed_hosts:\n - \"${CURRENT_NODE_IP}\"\n - \"${SECOND_NODE_IP}\"/" $CONFIG_FILE - sed -i "/cluster\.initial_master_nodes:/!b;n;c- ${CURRENT_NODE}\n- ${SECOND_NODE}" $CONFIG_FILE - sed -i ':a;N;$!ba;s/plugins\.security\.nodes_dn:\n- "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US"/plugins.security.nodes_dn:\n- "CN='"${CURRENT_NODE}"',OU=Wazuh,O=Wazuh,L=California,C=US"\n- "CN='"${SECOND_NODE}"',OU=Wazuh,O=Wazuh,L=California,C=US"/' $CONFIG_FILE -else - sed -i "s/#discovery\.seed_hosts:/discovery.seed_hosts:\n - \"${CURRENT_NODE_IP}\"/" $CONFIG_FILE - sed -i "/cluster\.initial_master_nodes:/!b;n;c- ${CURRENT_NODE}" $CONFIG_FILE - sed -i ':a;N;$!ba;s/plugins\.security\.nodes_dn:\n- "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US"/plugins.security.nodes_dn:\n- "CN='"${CURRENT_NODE}"',OU=Wazuh,O=Wazuh,L=California,C=US"/' $CONFIG_FILE -fi - -# shellcheck disable=SC2181 -if [ $? -eq 0 ]; then - echo "Configuration updated successfully. Backup created at ${BACKUP_FILE}" -else - echo "Error updating configuration." - exit 1 -fi - -# Directory for certificates -CERT_DIR="/etc/wazuh-indexer/certs" -if [ -d "$CERT_DIR" ]; then - echo "Certificates directory already exists. Removing it..." - rm -rf -fi -# Extract certificates -echo "Creating certificates directory and extracting certificates..." -mkdir -p $CERT_DIR - -if ! tar -xf "$PATH_TO_CERTS" -C "$CERT_DIR" "./$CURRENT_NODE.pem" "./$CURRENT_NODE-key.pem" "./admin.pem" "./admin-key.pem" "./root-ca.pem" ; then - echo "Error extracting certificates." - exit 1 -fi - -# Move and set permissions for certificates -echo "Moving and setting permissions for certificates..." -mv -n "$CERT_DIR/$CURRENT_NODE.pem" "$CERT_DIR/indexer.pem" -mv -n "$CERT_DIR/$CURRENT_NODE-key.pem" "$CERT_DIR/indexer-key.pem" -chmod 500 "$CERT_DIR" -chmod 400 "$CERT_DIR"/* -chown -R wazuh-indexer:wazuh-indexer "$CERT_DIR" - -# shellcheck disable=SC2181 -if [ $? -eq 0 ]; then - echo "Certificates configured successfully." -else - echo "Error configuring certificates." - exit 1 -fi diff --git a/test-tools/scripts/03_manage_indexer_service.sh b/test-tools/scripts/03_manage_indexer_service.sh deleted file mode 100644 index d9100b270c2b1..0000000000000 --- a/test-tools/scripts/03_manage_indexer_service.sh +++ /dev/null @@ -1,76 +0,0 @@ -#!/bin/bash - -# SPDX-License-Identifier: Apache-2.0 -# The OpenSearch Contributors require contributions made to -# this file be licensed under the Apache-2.0 license or a -# compatible open source license. - -# Function to check the status of the wazuh-indexer service -check_service_is_running() { - if systemctl is-active --quiet wazuh-indexer ; then - echo "wazuh-indexer service is running." - else - echo "Error: wazuh-indexer service is not running." >&2 - exit 1 - fi -} - -# Function to display usage help -usage() { - echo "Usage: $0 --action " - echo - echo "This script manages the wazuh-indexer service." - echo - echo "Options:" - echo " -a, --action Specify the action to perform: start, stop, or restart." - echo " -h, --help Show this help message and exit." - echo - exit 1 -} - -# Parse named arguments -while [[ "$#" -gt 0 ]]; do - case $1 in - --action|-a) ACTION="$2"; shift ;; - -h|--help) usage ;; - *) echo "Unknown parameter passed: $1"; usage ;; - esac - shift -done - -# Check if ACTION is provided -if [ -z "$ACTION" ]; then - echo "Error: Action is required." - usage -fi - -# Execute the action -case $ACTION in - start) - echo "Starting wazuh-indexer service..." - systemctl daemon-reload > /dev/null 2>&1 - systemctl enable wazuh-indexer > /dev/null 2>&1 - systemctl start wazuh-indexer > /dev/null 2>&1 - check_service_is_running - ;; - stop) - echo "Stopping wazuh-indexer service..." - systemctl stop wazuh-indexer - systemctl is-active --quiet wazuh-indexer - if [ $? -ne 0 ]; then - echo "wazuh-indexer service stopped successfully." - else - echo "Error: Failed to stop wazuh-indexer service." >&2 - exit 1 - fi - ;; - restart) - echo "Restarting wazuh-indexer service..." - systemctl restart wazuh-indexer - check_service_is_running - ;; - *) - echo "Error: Invalid action specified. Use start, stop, or restart." - usage - ;; -esac diff --git a/test-tools/scripts/04_initialize_cluster.sh b/test-tools/scripts/04_initialize_cluster.sh deleted file mode 100644 index a7121b7c09d94..0000000000000 --- a/test-tools/scripts/04_initialize_cluster.sh +++ /dev/null @@ -1,95 +0,0 @@ -#!/bin/bash - -# SPDX-License-Identifier: Apache-2.0 -# The OpenSearch Contributors require contributions made to -# this file be licensed under the Apache-2.0 license or a -# compatible open source license. - -# Tool dependencies -DEPENDENCIES=(curl jq) - -# Function to display usage help -usage() { - echo "Usage: $0 [-ip ] [-u ] [-p ]" - echo - echo "Parameters:" - echo " -ip, --cluster-ip (Optional) IP address of the cluster. Default: localhost" - echo " -u, --user (Optional) Username for authentication. Default: admin" - echo " -p, --password (Optional) Password for authentication. Default: admin" - echo - echo "Please ensure you have all the dependencies installed: " "${DEPENDENCIES[@]}" - exit 1 -} - -# Validate all dependencies are installed -for dep in "${DEPENDENCIES[@]}" -do - if ! command -v "${dep}" &> /dev/null - then - echo "Error: Dependency '$dep' is not installed. Please install $dep and try again." >&2 - exit 1 - fi -done - -# Default values -CLUSTER_IP="localhost" -USER="admin" -PASSWORD="admin" - -# Parse named arguments -while [[ "$#" -gt 0 ]]; do - case $1 in - -ip|--cluster-ip) CLUSTER_IP="$2"; shift ;; - -u|--user) USER="$2"; shift ;; - -p|--password) PASSWORD="$2"; shift ;; - -h|--help) usage ;; - *) echo "Unknown parameter passed: $1"; usage ;; - esac - shift -done - -# Initialize cluster -echo "Initializing wazuh-indexer cluster..." -bash /usr/share/wazuh-indexer/bin/indexer-security-init.sh > /dev/null 2>&1 - -# Check if the initialization was successful -# shellcheck disable=SC2181 -if [ $? -ne 0 ]; then - echo "Error: Failed to initialize cluster." - exit 1 -fi - -# Check the Wazuh indexer status -echo "Checking cluster status..." -sleep 2 -RESPONSE=$(curl -s -k -u "$USER:$PASSWORD" "https://$CLUSTER_IP:9200") - -# Check if the request was successful -# shellcheck disable=SC2181 -if [ $? -ne 0 ]; then - echo "Error: Failed to connect to cluster." - exit 1 -fi - -# Parse and print the response -INDEXER_NAME=$(echo "$RESPONSE" | jq -r '.name') -CLUSTER_NAME=$(echo "$RESPONSE" | jq -r '.cluster_name') -VERSION_NUMBER=$(echo "$RESPONSE" | jq -r '.version.number') -echo "Indexer Status:" -echo " Node Name: $INDEXER_NAME" -echo " Cluster Name: $CLUSTER_NAME" -echo " Version Number: $VERSION_NUMBER" - -# Verify the Wazuh indexer nodes -echo "Verifying the Wazuh indexer nodes..." -NODES_RESPONSE=$(curl -s -k -u "$USER:$PASSWORD" "https://$CLUSTER_IP:9200/_cat/nodes?v") - -# shellcheck disable=SC2181 -if [ $? -ne 0 ]; then - echo "Error: Failed to retrieve Wazuh indexer nodes." - exit 1 -fi - -echo "Nodes:" -echo "$NODES_RESPONSE" -echo "Initialization completed successfully." diff --git a/test-tools/scripts/05_validate_installed_plugins.sh b/test-tools/scripts/05_validate_installed_plugins.sh deleted file mode 100644 index 2801598394f25..0000000000000 --- a/test-tools/scripts/05_validate_installed_plugins.sh +++ /dev/null @@ -1,95 +0,0 @@ -#!/bin/bash -# SPDX-License-Identifier: Apache-2.0 -# The OpenSearch Contributors require contributions made to -# this file be licensed under the Apache-2.0 license or a -# compatible open source license. - -# Tool dependencies -DEPENDENCIES=(curl jq) - -# Function to display usage help -usage() { - echo "Usage: $0 [-ip -u -p ] -n -n [...]" - echo - echo "Parameters:" - echo " -ip, --cluster-ip (Optional) IP address of the cluster (default: localhost)" - echo " -u, --user (Optional) Username for authentication (default: admin)" - echo " -p, --password (Optional) Password for authentication (default: admin)" - echo " -n, --node Name of the nodes (add as many as needed)" - echo - echo "Please ensure you have all the dependencies installed: " "${DEPENDENCIES[@]}" - exit 1 -} - -# Validate all dependencies are installed -for dep in "${DEPENDENCIES[@]}" -do - if ! command -v "${dep}" &> /dev/null - then - echo "Error: Dependency '$dep' is not installed. Please install $dep and try again." >&2 - exit 1 - fi -done - -# Default values -CLUSTER_IP="localhost" -USER="admin" -PASSWORD="admin" -NODES=() - -# Parse named arguments -while [[ "$#" -gt 0 ]]; do - case $1 in - -ip|--cluster-ip) CLUSTER_IP="$2"; shift ;; - -u|--user) USER="$2"; shift ;; - -p|--password) PASSWORD="$2"; shift ;; - -n|--node) NODES+=("$2"); shift ;; - -h|--help) usage ;; - *) echo "Unknown parameter passed: $1"; usage ;; - esac - shift -done - -# Check if mandatory arguments are provided -if [ -z "$CLUSTER_IP" ] || [ -z "$USER" ] || [ -z "$PASSWORD" ] || [ ${#NODES[@]} -eq 0 ]; then - echo "Error: Missing mandatory parameter." - usage -fi - -# Check the installed plugins on each node -REQUIRED_PLUGINS=("wazuh-indexer-command-manager" "wazuh-indexer-setup") -ALL_MISSING_PLUGINS=() - -echo "Checking installed plugins on Wazuh indexer nodes..." -for NODE in "${NODES[@]}"; do - echo "Checking node $NODE..." - RESPONSE=$(curl -s -k -u "$USER:$PASSWORD" "https://$CLUSTER_IP:9200/_cat/plugins?v" | grep "$NODE") - # Check if the request was successful - # shellcheck disable=SC2181 - if [ $? -ne 0 ]; then - echo "Error: Failed to connect to Wazuh indexer." - exit 1 - fi - MISSING_PLUGINS=() - for PLUGIN in "${REQUIRED_PLUGINS[@]}"; do - if echo "$RESPONSE" | grep -q "$PLUGIN"; then - echo " $PLUGIN is installed on $NODE." - else - MISSING_PLUGINS+=("$PLUGIN") - fi - done - if [ ${#MISSING_PLUGINS[@]} -ne 0 ]; then - echo "Error: The following required plugins are missing on $NODE:" - for PLUGIN in "${MISSING_PLUGINS[@]}"; do - echo " $PLUGIN" - done - ALL_MISSING_PLUGINS+=("${MISSING_PLUGINS[@]}") - fi -done - -if [ ${#ALL_MISSING_PLUGINS[@]} -ne 0 ]; then - echo "Error: Some nodes are missing required plugins." - exit 1 -fi - -echo "All required plugins are installed on all nodes." diff --git a/test-tools/scripts/06_validate_setup.sh b/test-tools/scripts/06_validate_setup.sh deleted file mode 100644 index dc9e90688f180..0000000000000 --- a/test-tools/scripts/06_validate_setup.sh +++ /dev/null @@ -1,153 +0,0 @@ -#!/bin/bash - -# SPDX-License-Identifier: Apache-2.0 -# The OpenSearch Contributors require contributions made to -# this file be licensed under the Apache-2.0 license or a -# compatible open source license. - -# Tool dependencies -DEPENDENCIES=(curl jq) - -# Function to display usage help -usage() { - echo "Usage: $0 [-ip ] [-u ] [-p ]" - echo - echo "Parameters:" - echo " -ip, --cluster-ip (Optional) IP address of the cluster. Default: localhost" - echo " -u, --user (Optional) Username for authentication. Default: admin" - echo " -p, --password (Optional) Password for authentication. Default: admin" - echo - echo "Please ensure you have all the dependencies installed: " "${DEPENDENCIES[@]}" - exit 1 -} - -# Validate all dependencies are installed -for dep in "${DEPENDENCIES[@]}" -do - if ! command -v "${dep}" &> /dev/null - then - echo "Error: Dependency '$dep' is not installed. Please install $dep and try again." >&2 - exit 1 - fi -done - -# Default values -CLUSTER_IP="localhost" -USER="admin" -PASSWORD="admin" - -# Parse named arguments -while [[ "$#" -gt 0 ]]; do - case $1 in - -ip|--cluster-ip) CLUSTER_IP="$2"; shift ;; - -u|--user) USER="$2"; shift ;; - -p|--password) PASSWORD="$2"; shift ;; - -h|--help) usage ;; - *) echo "Unknown parameter passed: $1"; usage ;; - esac - shift -done - -# List of expected items -EXPECTED_TEMPLATES=("index-template-agent" "index-template-alerts" "index-template-fim" "index-template-packages" - "index-template-processes" "index-template-system" "index-template-vulnerabilities") - -# Fetch the templates -echo "Fetching templates from Wazuh indexer cluster..." -TEMPLATES_RESPONSE=$(curl -s -k -u "$USER:$PASSWORD" "https://$CLUSTER_IP:9200/_cat/templates?v") -# Check if the request was successful -if [ $? -ne 0 ]; then - echo "Error: Failed to fetch templates." - exit 1 -fi - -# Validate the templates -MISSING_TEMPLATES=() -echo "Validating templates..." -for TEMPLATE in "${EXPECTED_TEMPLATES[@]}"; do - if echo "$TEMPLATES_RESPONSE" | grep -q "$TEMPLATE"; then - # Fetch the template info to check for required fields - TEMPLATE_INFO=$(curl -s -k -u "$USER:$PASSWORD" "https://$CLUSTER_IP:9200/_template/$TEMPLATE") - if ! echo "$TEMPLATE_INFO" | jq -e '.[] | .mappings.properties.agent.properties.id' > /dev/null; then - echo " Error: Template $TEMPLATE is missing required field 'agent.id'." - MISSING_TEMPLATES+=("$TEMPLATE") - elif ! echo "$TEMPLATE_INFO" | jq -e '.[] | .mappings.properties.agent.properties.groups' > /dev/null; then - echo " Error: Template $TEMPLATE is missing required field 'agent.groups'." - MISSING_TEMPLATES+=("$TEMPLATE") - else - echo " Template $TEMPLATE is created correctly." - fi - else - MISSING_TEMPLATES+=("$TEMPLATE") - echo " Error: Template $TEMPLATE is missing." - fi -done - -if [ ${#MISSING_TEMPLATES[@]} -ne 0 ]; then - echo "Some templates were not created correctly:" - for TEMPLATE in "${MISSING_TEMPLATES[@]}"; do - echo " $TEMPLATE" - done - echo -else - echo "All templates are correctly created." - echo -fi - -# Fetch the indices -echo "Fetching indices from Wazuh indexer cluster..." -INDICES_RESPONSE=$(curl -s -k -u "$USER:$PASSWORD" "https://$CLUSTER_IP:9200/_cat/indices?v") -# Check if the request was successful -# shellcheck disable=SC2181 -if [ $? -ne 0 ]; then - echo "Error: Failed to fetch indices." - exit 1 -fi - -# Fetch the protected indices -echo "Fetching protected indices from Wazuh indexer cluster..." -PROTECTED_RESPONSE=$(curl -s -k -u "$USER:$PASSWORD" "https://$CLUSTER_IP:9200/_cat/indices/.*?v") -# Check if the request was successful -# shellcheck disable=SC2181 -if [ $? -ne 0 ]; then - echo "Error: Failed to fetch indices." - exit 1 -fi - -# Validate index patterns -echo "Validating index patterns..." -INVALID_PATTERNS=() -while read -r line; do - TEMPLATE_NAME=$(echo "$line" | awk '{print $1}') - INDEX_PATTERN=$(echo "$line" | awk '{print $2}' | tr -d '[]') - - if [[ $INDEX_PATTERN == .* ]]; then - TO_MATCH=$PROTECTED_RESPONSE - else - TO_MATCH=$INDICES_RESPONSE - fi - - # Check if index pattern ends with '*' - if [[ $INDEX_PATTERN != *\* ]]; then - echo " Error: Index pattern $INDEX_PATTERN does not end with '*'." - INVALID_PATTERNS+=("$INDEX_PATTERN") - continue - fi - - if echo "$TO_MATCH" | grep -q "$INDEX_PATTERN"; then - echo " Index pattern $INDEX_PATTERN is valid." - else - INVALID_PATTERNS+=("$INDEX_PATTERN") - echo " Error: Index pattern $INDEX_PATTERN not found in indices for template $TEMPLATE_NAME." - fi -done <<< "$(echo "$TEMPLATES_RESPONSE" | tail -n +2)" # Skip header line - -if [ ${#INVALID_PATTERNS[@]} -ne 0 ]; then - echo "Errors on index-patterns detected:" - for PATTERN in "${INVALID_PATTERNS[@]}"; do - echo " $PATTERN" - done - echo -else - echo "Index-patterns validated successfully." -fi diff --git a/test-tools/scripts/07_validate_command_manager.sh b/test-tools/scripts/07_validate_command_manager.sh deleted file mode 100644 index 53fb764a67818..0000000000000 --- a/test-tools/scripts/07_validate_command_manager.sh +++ /dev/null @@ -1,115 +0,0 @@ -#!/bin/bash - -# SPDX-License-Identifier: Apache-2.0 -# The OpenSearch Contributors require contributions made to -# this file be licensed under the Apache-2.0 license or a -# compatible open source license. - -# Tool dependencies -DEPENDENCIES=(curl jq) - -# Function to display usage help -usage() { - echo "Usage: $0 [-ip ] [-u ] [-p ]" - echo - echo "Parameters:" - echo " -ip, --cluster-ip (Optional) IP address of the cluster. Default: localhost" - echo " -u, --user (Optional) Username for authentication. Default: admin" - echo " -p, --password (Optional) Password for authentication. Default: admin" - echo - echo "Please ensure you have all the dependencies installed: " "${DEPENDENCIES[@]}" - exit 1 -} - -# Validate all dependencies are installed -for dep in "${DEPENDENCIES[@]}" -do - if ! command -v "${dep}" &> /dev/null - then - echo "Error: Dependency '$dep' is not installed. Please install $dep and try again." >&2 - exit 1 - fi -done - -# Default values -CLUSTER_IP="localhost" -USERNAME="admin" -PASSWORD="admin" - -# Parse named arguments -while [[ "$#" -gt 0 ]]; do - case $1 in - -ip|--cluster-ip) CLUSTER_IP="$2"; shift ;; - -u|--user) USERNAME="$2"; shift ;; - -p|--password) PASSWORD="$2"; shift ;; - -h|--help) usage ;; - *) echo "Unknown parameter passed: $1"; usage ;; - esac - shift -done - -COMMANDS_INDEX="wazuh-commands" -SRC="Engine" -USR="TestUser" -TRG_ID="TestTarget" -ARG="/test/path/fake/args" -BODY="{ - \"source\": \"$SRC\", - \"user\": \"$USR\", - \"target\": { - \"id\": \"$TRG_ID\", - \"type\": \"agent\" - }, - \"action\": { - \"name\": \"restart\", - \"args\": [ - \"$ARG\" - ], - \"version\": \"v4\" - }, - \"timeout\": 30 -}" - -# Send the POST request and check it is successful -if ! curl -s -k -u "$USERNAME:$PASSWORD" -X POST "https://$CLUSTER_IP:9200/_plugins/_command_manager/commands" -H 'accept: */*' -H 'Content-Type: application/json' -d "$BODY" > /dev/null 2>&1; then - echo "Error: Failed to create command." - exit 1 -fi -echo "Command created successfully." -# Sleep to avoid the next request to be sent before index is created -curl -s -k -u "$USERNAME:$PASSWORD" -X POST "https://$CLUSTER_IP:9200/_forcemerge" -H 'accept: */*' -sleep 2 - -# Fetch the indices -echo "Validating $COMMANDS_INDEX index is created..." -INDICES_RESPONSE=$(curl -s -k -u "$USERNAME:$PASSWORD" "https://$CLUSTER_IP:9200/_cat/indices/.*?v") -# shellcheck disable=SC2181 -if [ $? -ne 0 ]; then - echo "Error: Failed to fetch indices." - exit 1 -fi -if echo "$INDICES_RESPONSE" | grep -q "$COMMANDS_INDEX"; then - echo "Index created correctly." -else - echo "Error: Index is not created." - exit 1 -fi - -sleep 5 -echo "Validate the command is created" -# Validate the command was created -SEARCH_RESPONSE=$(curl -s -k -u "$USERNAME:$PASSWORD" "https://$CLUSTER_IP:9200/$COMMANDS_INDEX/_search") -# Check if the request was successful -# shellcheck disable=SC2181 -if [ $? -ne 0 ]; then - echo "Error: Failed to search for the command." - exit 1 -fi - -# Check if the command is found in the search results -if echo "$SEARCH_RESPONSE" | grep -q "\"$USR\"" && echo "$SEARCH_RESPONSE" | grep -q "\"$TRG_ID\""; then - echo "Validation successful: The command was created and found in the search results." -else - echo "Error: The command was not found in the search results." - exit 1 -fi diff --git a/test-tools/scripts/08_uninstall_indexer.sh b/test-tools/scripts/08_uninstall_indexer.sh deleted file mode 100644 index 094c7ca8781b1..0000000000000 --- a/test-tools/scripts/08_uninstall_indexer.sh +++ /dev/null @@ -1,75 +0,0 @@ -#!/bin/bash - -# SPDX-License-Identifier: Apache-2.0 -# The OpenSearch Contributors require contributions made to -# this file be licensed under the Apache-2.0 license or a -# compatible open source license. - -# Function to display usage help -usage() { - echo "Usage: $0 [-h]" - echo - echo "This script uninstalls Wazuh Indexer and validates its removal." - echo - echo "Options:" - echo " -h, --help Show this help message and exit." - echo - exit 1 -} - -# Check for help flag -if [[ "$1" == "-h" || "$1" == "--help" ]]; then - usage -fi - -# Detect package manager -if command -v apt-get &> /dev/null; then - PKG_MANAGER="apt-get" -elif command -v yum &> /dev/null; then - PKG_MANAGER="yum" -else - echo "Unsupported package manager. Please use a system with apt-get or yum." - exit 1 -fi - -# Uninstall Wazuh Indexer -echo "Uninstalling Wazuh Indexer..." -sudo systemctl stop wazuh-indexer > /dev/null 2>&1 -sudo systemctl disable wazuh-indexer > /dev/null 2>&1 - -if [ "$PKG_MANAGER" == "apt-get" ]; then - sudo apt-get remove --purge wazuh-indexer -y > /dev/null 2>&1 -elif [ "$PKG_MANAGER" == "yum" ]; then - sudo yum remove wazuh-indexer -y > /dev/null 2>&1 -fi -rm -rf /etc/wazuh-indexer - -# Validate removal -echo "Validating Wazuh Indexer removal..." - -# Check for remaining files and directories -if [ "$PKG_MANAGER" == "apt-get" ]; then - if dpkg -l | grep wazuh-indexer > /dev/null 2>&1; then - echo "Error: Wazuh Indexer packages still present." - exit 1 - else - echo "Wazuh Indexer packages removed." - fi -elif [ "$PKG_MANAGER" == "yum" ]; then - if rpm -qa | grep wazuh-indexer > /dev/null 2>&1; then - echo "Error: Wazuh Indexer packages still present." - exit 1 - else - echo "Wazuh Indexer packages removed." - fi -fi - -# Check for remaining services -if systemctl list-units --full -all | grep wazuh-indexer.service > /dev/null 2>&1; then - echo "Error: Wazuh Indexer service still present." - exit 1 -else - echo "Wazuh Indexer service removed." -fi - -echo "Wazuh Indexer uninstallation and validation completed successfully." diff --git a/test-tools/scripts/README.md b/test-tools/scripts/README.md deleted file mode 100644 index 06d84a44f50d5..0000000000000 --- a/test-tools/scripts/README.md +++ /dev/null @@ -1,79 +0,0 @@ -# Test utils scripts - -This is a collection of scripts aimed to facilitate the validation of the wazuh-indexer packages generated on the GitHub Action Workflow. - -Even if these scripts can be executed in almost any Linux environment, we expect it to be used alongside the -Vagrant environment defined in the `test-tools`, using the scripts inside the VMs to facilitate the validation steps. - -### GitHub token requirements - -Create a personal access token for GitHub with at least `read:packages` permissions. - -## Validation flow - -The scripts can be used to prepare and validate a single node or multi-node cluster, as required. - -### All-at-once - -#### Single node - -Use the `00_run.sh` utility to execute all the scripts automatically -```bash -sudo bash 00_run.sh -``` - -#### Multi node cluster - -> This section assumes you are using the `node-1` and `node-2` Vagrant VMs - -1. On the `node-2` VM install and prepare the `wazuh-indexer` component - ```bash - GITHUB_TOKEN= bash 01_download_and_install_package.sh -id -n - ``` - ```bash - sudo bash 02_apply_certificates.sh -p ../wazuh-certificates.tar -n node-2 -nip 192.168.56.11 -s node-1 -sip 192.168.56.10 - ``` - ```bash - sudo bash 03_manage_indexer_service.sh -a start - ``` -2. On the `node-1` VM execute the _all-at-once_ utility - ```bash - sudo bash 00_run.sh - ``` - -### Manual execution - -If you prefer, you can run each script individually. - -1. Download and install the `wazuh-indexer` package _(mandatory on each node)_ - ```bash - GITHUB_TOKEN= bash 01_download_and_install_package.sh -id -n - ``` -2. Configure and start the service _(mandatory on each node)_ - ```bash - sudo bash 02_apply_certificates.sh -p -n -nip - ``` - ```bash - sudo bash 03_manage_indexer_service.sh -a start - ``` - > With this script you can also `restart` and `stop` the service -3. Initialize the cluster - ```bash - sudo bash 04_initialize_cluster.sh - ``` -4. Check all the plugins are installed - ```bash - bash 05_validate_installed_plugins.sh -n - ``` -5. Check the setup plugin configured the index-patterns correctly - ```bash - bash 06_validate_setup.sh - ``` -6. Check the command manager plugin works correctly - ```bash - bash 07_validate_command_manager.sh - ``` -7. Uninstall Wazuh indexer - ```bash - sudo bash 08_uninstall_indexer.sh - ```