From 5d77ed472315070c63384bb137a1bb002185e142 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Mon, 10 Feb 2025 18:09:02 +0100 Subject: [PATCH] Migrate code and documentation to wazuh-indexer-plugins repo (#678) * Migrate code and documentation to wazuh-indexer-plugins repo * Migrate operational--integrations_maintenance_request.md * Remove ECS generator workflow --- ...ional--integrations_maintenance_request.md | 30 - .github/workflows/generate-ecs-mappings.yml | 48 - README.md | 1 - ecs/.gitignore | 3 - ecs/README.md | 128 -- ecs/agent/event-generator/event_generator.py | 182 -- ecs/agent/fields/custom/agent.yml | 32 - ecs/agent/fields/custom/host.yml | 6 - ecs/agent/fields/custom/os.yml | 6 - ecs/agent/fields/custom/risk.yml | 6 - ecs/agent/fields/mapping-settings.json | 4 - ecs/agent/fields/subset.yml | 18 - .../fields/template-settings-legacy.json | 22 - ecs/agent/fields/template-settings.json | 24 - ecs/alerts/fields/custom/agent.yml | 12 - ecs/alerts/fields/custom/host.yml | 6 - ecs/alerts/fields/custom/os.yml | 6 - ecs/alerts/fields/custom/risk.yml | 6 - ecs/alerts/fields/mapping-settings.json | 4 - ecs/alerts/fields/subset.yml | 603 ----- .../fields/template-settings-legacy.json | 18 - ecs/alerts/fields/template-settings.json | 18 - .../event-generator/event_generator.py | 165 -- ecs/command/fields/custom/agent.yml | 12 - ecs/command/fields/custom/base.yml | 9 - ecs/command/fields/custom/command.yml | 79 - ecs/command/fields/mapping-settings.json | 4 - ecs/command/fields/subset.yml | 13 - .../fields/template-settings-legacy.json | 17 - ecs/command/fields/template-settings.json | 21 - ecs/docs/README.md | 22 - ecs/docs/agents.md | 108 - ecs/docs/alerts.md | 644 ------ ecs/docs/commands.md | 168 -- ecs/docs/inventory-hardware.md | 81 - ecs/docs/inventory-hotfixes.md | 66 - ecs/docs/inventory-networks.md | 116 - ecs/docs/inventory-packages.md | 95 - ecs/docs/inventory-ports.md | 112 - ecs/docs/inventory-processes.md | 138 -- ecs/docs/inventory-system.md | 98 - ecs/docs/states-fim.md | 106 - ecs/docs/states-vulnerability.md | 169 -- ecs/generator/images/Dockerfile | 33 - ecs/generator/images/generator.sh | 103 - ecs/generator/mapping-generator.sh | 79 - ecs/generator/mapping-generator.yml | 11 - ecs/scripts/generate-pr-to-plugins.sh | 296 --- .../event-generator/event_generator.py | 211 -- ecs/states-fim/fields/custom/agent.yml | 12 - ecs/states-fim/fields/custom/host.yml | 6 - ecs/states-fim/fields/custom/os.yml | 6 - ecs/states-fim/fields/custom/risk.yml | 6 - ecs/states-fim/fields/mapping-settings.json | 4 - ecs/states-fim/fields/subset.yml | 39 - .../fields/template-settings-legacy.json | 21 - ecs/states-fim/fields/template-settings.json | 23 - .../event-generator/event_generator.py | 219 -- .../fields/custom/agent.yml | 12 - .../fields/custom/host.yml | 52 - .../fields/custom/os.yml | 6 - .../fields/custom/risk.yml | 6 - .../fields/mapping-settings.json | 4 - .../fields/subset.yml | 25 - .../fields/template-settings-legacy.json | 14 - .../fields/template-settings.json | 18 - .../event-generator/event_generator.py | 193 -- .../fields/custom/agent.yml | 12 - .../fields/custom/host.yml | 6 - .../fields/custom/os.yml | 6 - .../fields/custom/package.yml | 19 - .../fields/custom/risk.yml | 6 - .../fields/mapping-settings.json | 4 - .../fields/subset.yml | 21 - .../fields/template-settings-legacy.json | 14 - .../fields/template-settings.json | 18 - .../event-generator/event_generator.py | 247 -- .../fields/custom/agent.yml | 12 - .../fields/custom/host.yml | 27 - .../fields/custom/interface.yml | 27 - .../fields/custom/network.yml | 33 - .../fields/custom/os.yml | 6 - .../fields/custom/risk.yml | 6 - .../fields/mapping-settings.json | 4 - .../fields/subset.yml | 40 - .../fields/template-settings-legacy.json | 21 - .../fields/template-settings.json | 25 - .../event-generator/event_generator.py | 198 -- .../fields/custom/agent.yml | 12 - .../fields/custom/host.yml | 6 - .../fields/custom/os.yml | 6 - .../fields/custom/risk.yml | 6 - .../fields/mapping-settings.json | 4 - .../fields/subset.yml | 26 - .../fields/template-settings-legacy.json | 19 - .../fields/template-settings.json | 21 - .../event-generator/event_generator.py | 247 -- .../fields/custom/agent.yml | 12 - .../fields/custom/host.yml | 17 - .../fields/custom/interface.yml | 17 - .../fields/custom/os.yml | 6 - .../fields/custom/risk.yml | 6 - .../fields/mapping-settings.json | 4 - ecs/states-inventory-ports/fields/subset.yml | 50 - .../fields/template-settings-legacy.json | 18 - .../fields/template-settings.json | 22 - .../event-generator/event_generator.py | 223 -- .../fields/custom/agent.yml | 12 - .../fields/custom/host.yml | 6 - .../fields/custom/os.yml | 6 - .../fields/custom/risk.yml | 6 - .../fields/mapping-settings.json | 4 - .../fields/subset.yml | 52 - .../fields/template-settings-legacy.json | 18 - .../fields/template-settings.json | 20 - .../event-generator/event_generator.py | 197 -- .../fields/custom/agent.yml | 12 - .../fields/custom/host.yml | 6 - .../fields/custom/os.yml | 6 - .../fields/custom/risk.yml | 6 - .../fields/mapping-settings.json | 4 - ecs/states-inventory-system/fields/subset.yml | 18 - .../fields/template-settings-legacy.json | 18 - .../fields/template-settings.json | 20 - .../event-generator/event_generator.py | 233 -- .../fields/custom/agent.yml | 12 - .../fields/custom/host.yml | 6 - .../fields/custom/os.yml | 6 - .../fields/custom/package.yml | 15 - .../fields/custom/risk.yml | 6 - .../fields/custom/vulnerability.yml | 34 - .../fields/custom/wazuh.yml | 21 - .../fields/mapping-settings.json | 4 - ecs/states-vulnerabilities/fields/subset.yml | 23 - .../fields/template-settings-legacy.json | 23 - .../fields/template-settings.json | 25 - integrations/.gitignore | 3 - integrations/README.md | 33 - .../amazon-security-lake/.dockerignore | 180 -- integrations/amazon-security-lake/.gitignore | 179 -- .../amazon-security-lake/CONTRIBUTING.md | 61 - integrations/amazon-security-lake/Dockerfile | 17 - integrations/amazon-security-lake/Makefile | 30 - integrations/amazon-security-lake/README.md | 292 --- .../images/asl-custom-source-form.jpeg | Bin 59572 -> 0 bytes .../images/asl-custom-source.jpeg | Bin 30234 -> 0 bytes .../images/asl-lambda-trigger.jpeg | Bin 82300 -> 0 bytes .../images/asl-overview.jpeg | Bin 33327 -> 0 bytes .../amazon-security-lake/invoke-lambda.sh | 42 - .../logstash/pipeline/indexer-to-s3.conf | 53 - .../amazon-security-lake/logstash/setup.sh | 10 - .../amazon-security-lake/requirements.aws.txt | 2 - .../amazon-security-lake/requirements.txt | 4 - .../src/lambda_function.py | 185 -- .../src/models/__init__.py | 2 - .../amazon-security-lake/src/models/ocsf.py | 104 - .../amazon-security-lake/src/models/wazuh.py | 50 - .../src/wazuh_ocsf_converter.py | 185 -- integrations/docker/.env | 44 - .../docker/compose.amazon-security-lake.yml | 175 -- .../docker/compose.indexer-elastic.yml | 259 --- .../docker/compose.indexer-opensearch.yml | 194 -- .../docker/compose.indexer-splunk.yml | 182 -- integrations/docker/config/certs.yml | 20 - integrations/elastic/Dockerfile | 19 - integrations/elastic/README.md | 47 - integrations/elastic/dashboards.ndjson | 9 - .../logstash/pipeline/es_template.json | 2042 ----------------- .../logstash/pipeline/indexer-to-elastic.conf | 35 - integrations/elastic/logstash/setup.sh | 10 - integrations/logstash/Dockerfile | 19 - integrations/logstash/setup.sh | 10 - integrations/opensearch/README.md | 47 - integrations/opensearch/dashboards.ndjson | 38 - .../pipeline/indexer-to-opensearch.conf | 38 - .../logstash/pipeline/os_template.json | 2039 ---------------- integrations/opensearch/opensearch.yml | 39 - .../opensearch/opensearch_dashboards.yml | 21 - integrations/splunk/README.md | 47 - integrations/splunk/cfssl/ca.json | 15 - integrations/splunk/cfssl/cfssl.json | 58 - integrations/splunk/cfssl/host.json | 19 - integrations/splunk/config/default.yml | 25 - integrations/splunk/config/indexes.conf | 11 - .../logstash/pipeline/indexer-to-splunk.conf | 31 - integrations/splunk/logstash/setup.sh | 10 - integrations/splunk/wazuh-amazon-aws | 132 -- integrations/splunk/wazuh-docker-listener | 130 -- integrations/splunk/wazuh-incident-response | 131 -- integrations/splunk/wazuh-malware-detection | 132 -- integrations/splunk/wazuh-pci-dss | 132 -- integrations/splunk/wazuh-security-events | 292 --- integrations/splunk/wazuh-vulnerabilities | 257 --- .../tools/events-generator/.dockerignore | 2 - .../tools/events-generator/.gitignore | 1 - .../tools/events-generator/Dockerfile | 4 - integrations/tools/events-generator/README.md | 52 - .../tools/events-generator/requirements.txt | 1 - integrations/tools/events-generator/run.py | 205 -- .../events-generator/wazuh-alerts/alerts.json | 1124 --------- test-tools/.gitignore | 1 - test-tools/README.md | 45 - test-tools/Vagrantfile | 54 - test-tools/config.yml | 7 - test-tools/pre-start.sh | 23 - test-tools/scripts/00_run.sh | 88 - .../01_download_and_install_package.sh | 173 -- test-tools/scripts/02_apply_certificates.sh | 117 - .../scripts/03_manage_indexer_service.sh | 76 - test-tools/scripts/04_initialize_cluster.sh | 95 - .../scripts/05_validate_installed_plugins.sh | 95 - test-tools/scripts/06_validate_setup.sh | 153 -- .../scripts/07_validate_command_manager.sh | 115 - test-tools/scripts/08_uninstall_indexer.sh | 75 - test-tools/scripts/README.md | 79 - 215 files changed, 17844 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/operational--integrations_maintenance_request.md delete mode 100644 .github/workflows/generate-ecs-mappings.yml delete mode 100644 ecs/.gitignore delete mode 100644 ecs/README.md delete mode 100644 ecs/agent/event-generator/event_generator.py delete mode 100644 ecs/agent/fields/custom/agent.yml delete mode 100644 ecs/agent/fields/custom/host.yml delete mode 100644 ecs/agent/fields/custom/os.yml delete mode 100644 ecs/agent/fields/custom/risk.yml delete mode 100644 ecs/agent/fields/mapping-settings.json delete mode 100644 ecs/agent/fields/subset.yml delete mode 100644 ecs/agent/fields/template-settings-legacy.json delete mode 100644 ecs/agent/fields/template-settings.json delete mode 100644 ecs/alerts/fields/custom/agent.yml delete mode 100644 ecs/alerts/fields/custom/host.yml delete mode 100644 ecs/alerts/fields/custom/os.yml delete mode 100644 ecs/alerts/fields/custom/risk.yml delete mode 100644 ecs/alerts/fields/mapping-settings.json delete mode 100644 ecs/alerts/fields/subset.yml delete mode 100644 ecs/alerts/fields/template-settings-legacy.json delete mode 100644 ecs/alerts/fields/template-settings.json delete mode 100644 ecs/command/event-generator/event_generator.py delete mode 100644 ecs/command/fields/custom/agent.yml delete mode 100644 ecs/command/fields/custom/base.yml delete mode 100644 ecs/command/fields/custom/command.yml delete mode 100644 ecs/command/fields/mapping-settings.json delete mode 100644 ecs/command/fields/subset.yml delete mode 100644 ecs/command/fields/template-settings-legacy.json delete mode 100644 ecs/command/fields/template-settings.json delete mode 100644 ecs/docs/README.md delete mode 100644 ecs/docs/agents.md delete mode 100644 ecs/docs/alerts.md delete mode 100644 ecs/docs/commands.md delete mode 100644 ecs/docs/inventory-hardware.md delete mode 100644 ecs/docs/inventory-hotfixes.md delete mode 100644 ecs/docs/inventory-networks.md delete mode 100644 ecs/docs/inventory-packages.md delete mode 100644 ecs/docs/inventory-ports.md delete mode 100644 ecs/docs/inventory-processes.md delete mode 100644 ecs/docs/inventory-system.md delete mode 100644 ecs/docs/states-fim.md delete mode 100644 ecs/docs/states-vulnerability.md delete mode 100644 ecs/generator/images/Dockerfile delete mode 100755 ecs/generator/images/generator.sh delete mode 100644 ecs/generator/mapping-generator.sh delete mode 100644 ecs/generator/mapping-generator.yml delete mode 100644 ecs/scripts/generate-pr-to-plugins.sh delete mode 100644 ecs/states-fim/event-generator/event_generator.py delete mode 100644 ecs/states-fim/fields/custom/agent.yml delete mode 100644 ecs/states-fim/fields/custom/host.yml delete mode 100644 ecs/states-fim/fields/custom/os.yml delete mode 100644 ecs/states-fim/fields/custom/risk.yml delete mode 100644 ecs/states-fim/fields/mapping-settings.json delete mode 100644 ecs/states-fim/fields/subset.yml delete mode 100644 ecs/states-fim/fields/template-settings-legacy.json delete mode 100644 ecs/states-fim/fields/template-settings.json delete mode 100644 ecs/states-inventory-hardware/event-generator/event_generator.py delete mode 100644 ecs/states-inventory-hardware/fields/custom/agent.yml delete mode 100644 ecs/states-inventory-hardware/fields/custom/host.yml delete mode 100644 ecs/states-inventory-hardware/fields/custom/os.yml delete mode 100644 ecs/states-inventory-hardware/fields/custom/risk.yml delete mode 100644 ecs/states-inventory-hardware/fields/mapping-settings.json delete mode 100644 ecs/states-inventory-hardware/fields/subset.yml delete mode 100644 ecs/states-inventory-hardware/fields/template-settings-legacy.json delete mode 100644 ecs/states-inventory-hardware/fields/template-settings.json delete mode 100644 ecs/states-inventory-hotfixes/event-generator/event_generator.py delete mode 100644 ecs/states-inventory-hotfixes/fields/custom/agent.yml delete mode 100644 ecs/states-inventory-hotfixes/fields/custom/host.yml delete mode 100644 ecs/states-inventory-hotfixes/fields/custom/os.yml delete mode 100644 ecs/states-inventory-hotfixes/fields/custom/package.yml delete mode 100644 ecs/states-inventory-hotfixes/fields/custom/risk.yml delete mode 100644 ecs/states-inventory-hotfixes/fields/mapping-settings.json delete mode 100644 ecs/states-inventory-hotfixes/fields/subset.yml delete mode 100644 ecs/states-inventory-hotfixes/fields/template-settings-legacy.json delete mode 100644 ecs/states-inventory-hotfixes/fields/template-settings.json delete mode 100644 ecs/states-inventory-networks/event-generator/event_generator.py delete mode 100644 ecs/states-inventory-networks/fields/custom/agent.yml delete mode 100644 ecs/states-inventory-networks/fields/custom/host.yml delete mode 100644 ecs/states-inventory-networks/fields/custom/interface.yml delete mode 100644 ecs/states-inventory-networks/fields/custom/network.yml delete mode 100644 ecs/states-inventory-networks/fields/custom/os.yml delete mode 100644 ecs/states-inventory-networks/fields/custom/risk.yml delete mode 100644 ecs/states-inventory-networks/fields/mapping-settings.json delete mode 100644 ecs/states-inventory-networks/fields/subset.yml delete mode 100644 ecs/states-inventory-networks/fields/template-settings-legacy.json delete mode 100644 ecs/states-inventory-networks/fields/template-settings.json delete mode 100644 ecs/states-inventory-packages/event-generator/event_generator.py delete mode 100644 ecs/states-inventory-packages/fields/custom/agent.yml delete mode 100644 ecs/states-inventory-packages/fields/custom/host.yml delete mode 100644 ecs/states-inventory-packages/fields/custom/os.yml delete mode 100644 ecs/states-inventory-packages/fields/custom/risk.yml delete mode 100644 ecs/states-inventory-packages/fields/mapping-settings.json delete mode 100644 ecs/states-inventory-packages/fields/subset.yml delete mode 100644 ecs/states-inventory-packages/fields/template-settings-legacy.json delete mode 100644 ecs/states-inventory-packages/fields/template-settings.json delete mode 100644 ecs/states-inventory-ports/event-generator/event_generator.py delete mode 100644 ecs/states-inventory-ports/fields/custom/agent.yml delete mode 100644 ecs/states-inventory-ports/fields/custom/host.yml delete mode 100644 ecs/states-inventory-ports/fields/custom/interface.yml delete mode 100644 ecs/states-inventory-ports/fields/custom/os.yml delete mode 100644 ecs/states-inventory-ports/fields/custom/risk.yml delete mode 100644 ecs/states-inventory-ports/fields/mapping-settings.json delete mode 100644 ecs/states-inventory-ports/fields/subset.yml delete mode 100644 ecs/states-inventory-ports/fields/template-settings-legacy.json delete mode 100644 ecs/states-inventory-ports/fields/template-settings.json delete mode 100644 ecs/states-inventory-processes/event-generator/event_generator.py delete mode 100644 ecs/states-inventory-processes/fields/custom/agent.yml delete mode 100644 ecs/states-inventory-processes/fields/custom/host.yml delete mode 100644 ecs/states-inventory-processes/fields/custom/os.yml delete mode 100644 ecs/states-inventory-processes/fields/custom/risk.yml delete mode 100644 ecs/states-inventory-processes/fields/mapping-settings.json delete mode 100644 ecs/states-inventory-processes/fields/subset.yml delete mode 100644 ecs/states-inventory-processes/fields/template-settings-legacy.json delete mode 100644 ecs/states-inventory-processes/fields/template-settings.json delete mode 100644 ecs/states-inventory-system/event-generator/event_generator.py delete mode 100644 ecs/states-inventory-system/fields/custom/agent.yml delete mode 100644 ecs/states-inventory-system/fields/custom/host.yml delete mode 100644 ecs/states-inventory-system/fields/custom/os.yml delete mode 100644 ecs/states-inventory-system/fields/custom/risk.yml delete mode 100644 ecs/states-inventory-system/fields/mapping-settings.json delete mode 100644 ecs/states-inventory-system/fields/subset.yml delete mode 100644 ecs/states-inventory-system/fields/template-settings-legacy.json delete mode 100644 ecs/states-inventory-system/fields/template-settings.json delete mode 100644 ecs/states-vulnerabilities/event-generator/event_generator.py delete mode 100644 ecs/states-vulnerabilities/fields/custom/agent.yml delete mode 100644 ecs/states-vulnerabilities/fields/custom/host.yml delete mode 100644 ecs/states-vulnerabilities/fields/custom/os.yml delete mode 100644 ecs/states-vulnerabilities/fields/custom/package.yml delete mode 100644 ecs/states-vulnerabilities/fields/custom/risk.yml delete mode 100644 ecs/states-vulnerabilities/fields/custom/vulnerability.yml delete mode 100644 ecs/states-vulnerabilities/fields/custom/wazuh.yml delete mode 100644 ecs/states-vulnerabilities/fields/mapping-settings.json delete mode 100644 ecs/states-vulnerabilities/fields/subset.yml delete mode 100644 ecs/states-vulnerabilities/fields/template-settings-legacy.json delete mode 100644 ecs/states-vulnerabilities/fields/template-settings.json delete mode 100644 integrations/.gitignore delete mode 100644 integrations/README.md delete mode 100644 integrations/amazon-security-lake/.dockerignore delete mode 100644 integrations/amazon-security-lake/.gitignore delete mode 100644 integrations/amazon-security-lake/CONTRIBUTING.md delete mode 100644 integrations/amazon-security-lake/Dockerfile delete mode 100644 integrations/amazon-security-lake/Makefile delete mode 100644 integrations/amazon-security-lake/README.md delete mode 100644 integrations/amazon-security-lake/images/asl-custom-source-form.jpeg delete mode 100644 integrations/amazon-security-lake/images/asl-custom-source.jpeg delete mode 100644 integrations/amazon-security-lake/images/asl-lambda-trigger.jpeg delete mode 100644 integrations/amazon-security-lake/images/asl-overview.jpeg delete mode 100644 integrations/amazon-security-lake/invoke-lambda.sh delete mode 100644 integrations/amazon-security-lake/logstash/pipeline/indexer-to-s3.conf delete mode 100644 integrations/amazon-security-lake/logstash/setup.sh delete mode 100644 integrations/amazon-security-lake/requirements.aws.txt delete mode 100644 integrations/amazon-security-lake/requirements.txt delete mode 100644 integrations/amazon-security-lake/src/lambda_function.py delete mode 100644 integrations/amazon-security-lake/src/models/__init__.py delete mode 100644 integrations/amazon-security-lake/src/models/ocsf.py delete mode 100644 integrations/amazon-security-lake/src/models/wazuh.py delete mode 100644 integrations/amazon-security-lake/src/wazuh_ocsf_converter.py delete mode 100644 integrations/docker/.env delete mode 100644 integrations/docker/compose.amazon-security-lake.yml delete mode 100644 integrations/docker/compose.indexer-elastic.yml delete mode 100644 integrations/docker/compose.indexer-opensearch.yml delete mode 100644 integrations/docker/compose.indexer-splunk.yml delete mode 100644 integrations/docker/config/certs.yml delete mode 100644 integrations/elastic/Dockerfile delete mode 100644 integrations/elastic/README.md delete mode 100644 integrations/elastic/dashboards.ndjson delete mode 100644 integrations/elastic/logstash/pipeline/es_template.json delete mode 100644 integrations/elastic/logstash/pipeline/indexer-to-elastic.conf delete mode 100644 integrations/elastic/logstash/setup.sh delete mode 100644 integrations/logstash/Dockerfile delete mode 100644 integrations/logstash/setup.sh delete mode 100644 integrations/opensearch/README.md delete mode 100644 integrations/opensearch/dashboards.ndjson delete mode 100644 integrations/opensearch/logstash/pipeline/indexer-to-opensearch.conf delete mode 100644 integrations/opensearch/logstash/pipeline/os_template.json delete mode 100644 integrations/opensearch/opensearch.yml delete mode 100644 integrations/opensearch/opensearch_dashboards.yml delete mode 100644 integrations/splunk/README.md delete mode 100644 integrations/splunk/cfssl/ca.json delete mode 100644 integrations/splunk/cfssl/cfssl.json delete mode 100644 integrations/splunk/cfssl/host.json delete mode 100644 integrations/splunk/config/default.yml delete mode 100644 integrations/splunk/config/indexes.conf delete mode 100644 integrations/splunk/logstash/pipeline/indexer-to-splunk.conf delete mode 100644 integrations/splunk/logstash/setup.sh delete mode 100644 integrations/splunk/wazuh-amazon-aws delete mode 100644 integrations/splunk/wazuh-docker-listener delete mode 100644 integrations/splunk/wazuh-incident-response delete mode 100644 integrations/splunk/wazuh-malware-detection delete mode 100644 integrations/splunk/wazuh-pci-dss delete mode 100644 integrations/splunk/wazuh-security-events delete mode 100644 integrations/splunk/wazuh-vulnerabilities delete mode 100644 integrations/tools/events-generator/.dockerignore delete mode 100644 integrations/tools/events-generator/.gitignore delete mode 100644 integrations/tools/events-generator/Dockerfile delete mode 100644 integrations/tools/events-generator/README.md delete mode 100644 integrations/tools/events-generator/requirements.txt delete mode 100644 integrations/tools/events-generator/run.py delete mode 100644 integrations/tools/events-generator/wazuh-alerts/alerts.json delete mode 100644 test-tools/.gitignore delete mode 100644 test-tools/README.md delete mode 100644 test-tools/Vagrantfile delete mode 100644 test-tools/config.yml delete mode 100644 test-tools/pre-start.sh delete mode 100644 test-tools/scripts/00_run.sh delete mode 100644 test-tools/scripts/01_download_and_install_package.sh delete mode 100644 test-tools/scripts/02_apply_certificates.sh delete mode 100644 test-tools/scripts/03_manage_indexer_service.sh delete mode 100644 test-tools/scripts/04_initialize_cluster.sh delete mode 100644 test-tools/scripts/05_validate_installed_plugins.sh delete mode 100644 test-tools/scripts/06_validate_setup.sh delete mode 100644 test-tools/scripts/07_validate_command_manager.sh delete mode 100644 test-tools/scripts/08_uninstall_indexer.sh delete mode 100644 test-tools/scripts/README.md diff --git a/.github/ISSUE_TEMPLATE/operational--integrations_maintenance_request.md b/.github/ISSUE_TEMPLATE/operational--integrations_maintenance_request.md deleted file mode 100644 index b30b55fe77e5d..0000000000000 --- a/.github/ISSUE_TEMPLATE/operational--integrations_maintenance_request.md +++ /dev/null @@ -1,30 +0,0 @@ ---- -name: Integrations maintenance request -about: Used by the Indexer team to maintain third-party software integrations and track the results. -title: Integrations maintenance request -labels: level/task, request/operational, type/maintenance -assignees: "" ---- - -## Description - -The Wazuh Indexer team is responsible for the maintenance of the third-party integrations hosted in the wazuh/wazuh-indexer repository. We must ensure these integrations work under new releases of the third-party software (Splunk, Elastic, Logstash, …) and our own. - -For that, we need to: - -- [ ] Create a pull request that upgrades the components to the latest version. -- [ ] Update our testing environments to verify the integrations work under new versions. -- [ ] Test the integrations, checking that: - - The Docker Compose project starts without errors. - - The data arrives to the destination. - - All the dashboards can be imported successfully. - - All the dashboards are populated with data. -- [ ] Finally, upgrade the compatibility matrix in integrations/README.md with the new versions. - -> [!NOTE] -> * For Logstash, we use the logstash-oss image. -> * For Wazuh Indexer and Wazuh Dashboard, we use the opensearch and opensearch-dashboards images. These must match the opensearch version that we support (e.g: for Wazuh 4.9.0 it is OpenSearch 2.13.0). - -## Issues - -- _List here the detected issues_ diff --git a/.github/workflows/generate-ecs-mappings.yml b/.github/workflows/generate-ecs-mappings.yml deleted file mode 100644 index f328c6d79c094..0000000000000 --- a/.github/workflows/generate-ecs-mappings.yml +++ /dev/null @@ -1,48 +0,0 @@ -name: ECS Generator - -on: - push: - paths: - - "ecs/**/*.json" - - "ecs/**/*.yml" - -jobs: - run-ecs-generator: - if: github.repository == 'wazuh/wazuh-indexer' - runs-on: ubuntu-24.04 - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - with: - fetch-depth: 2 - - - name: Extract branch name - shell: bash - run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT - id: branch-name - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Set up Docker Compose - run: sudo apt-get install docker-compose - - - name: Generate PR to wazuh-indexer-plugins - id: generate-pr - env: - GITHUB_TOKEN: ${{ secrets.ACTION_TOKEN }} - COMMITER_EMAIL: ${{ secrets.INDEXER_BOT_EMAIL }} - COMMITTER_USERNAME: "Wazuh Indexer Bot" - SSH_PRIVATE_KEY: ${{ secrets.INDEXER_BOT_PRIVATE_SSH_KEY }} - SSH_PUBLIC_KEY: ${{ secrets.INDEXER_BOT_PUBLIC_SSH_KEY }} - run: | - bash ecs/scripts/generate-pr-to-plugins.sh \ - -b ${{ steps.branch-name.outputs.branch }} \ - -o ecs-templates - - - name: Upload artifact - uses: actions/upload-artifact@v4 - with: - name: ecs-templates - path: "ecs-templates" diff --git a/README.md b/README.md index 95c6fea8fa1d0..3fbf64979dbc6 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,6 @@ [![GHA precommit](https://github.com/opensearch-project/OpenSearch/actions/workflows/precommit.yml/badge.svg)](https://github.com/opensearch-project/OpenSearch/actions/workflows/precommit.yml) [![Jenkins gradle check job](https://img.shields.io/jenkins/build?jobUrl=https%3A%2F%2Fbuild.ci.opensearch.org%2Fjob%2Fgradle-check%2F&label=Jenkins%20Gradle%20Check)](https://build.ci.opensearch.org/job/gradle-check/) [![Build packages](https://github.com/wazuh/wazuh-indexer/actions/workflows/build.yml/badge.svg)](https://github.com/wazuh/wazuh-indexer/actions/workflows/build.yml) -[![ECS Generator](https://github.com/wazuh/wazuh-indexer/actions/workflows/generate-ecs-mappings.yml/badge.svg)](https://github.com/wazuh/wazuh-indexer/actions/workflows/generate-ecs-mappings.yml) - [Welcome!](#welcome) diff --git a/ecs/.gitignore b/ecs/.gitignore deleted file mode 100644 index a8047fcd2d67d..0000000000000 --- a/ecs/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -**/mappings -*.log -generatedData.json \ No newline at end of file diff --git a/ecs/README.md b/ecs/README.md deleted file mode 100644 index cd4e4b64dc11c..0000000000000 --- a/ecs/README.md +++ /dev/null @@ -1,128 +0,0 @@ -## ECS mappings generator - -This script generates the ECS mappings for the Wazuh indices. - -### Requirements - -- [Docker Compose](https://docs.docker.com/compose/install/) - -### Folder structure - -There is a folder for each module. Inside each folder, there is a `fields` folder with the required files to generate the mappings. These are the inputs for the ECS generator. - -### Usage - -1. Execute the mapping-generator tool - ```bash - bash ecs/generator/mapping-generator.sh run - ``` -2. (Optional) Run the tool's cleanup - > The tool stops the container automatically, but it is recommended to run the down command if the tool is not going to be used anymore. - ```bash - bash ecs/generator/mapping-generator.sh down - ``` - -### Output - -A new `mappings` folder will be created inside the module folder, containing all the generated files. -The files are versioned using the ECS version, so different versions of the same module can be generated. -For our use case, the most important files are under `mappings//generated/elasticsearch/legacy/`: - -- `template.json`: Elasticsearch compatible index template for the module -- `opensearch-template.json`: OpenSearch compatible index template for the module - -The original output is `template.json`, which is not compatible with OpenSearch by default. -In order to make this template compatible with OpenSearch, the following changes are made: - -- The `order` property is renamed to `priority`. -- The `mappings` and `settings` properties are nested under the `template` property. - -The script takes care of these changes automatically, generating the `opensearch-template.json` file as a result. - -### Upload - -You can either upload the index template using cURL or the UI (dev tools). - -```bash -curl -u admin:admin -k -X PUT "https://indexer:9200/_index_template/wazuh-states-vulnerabilities" -H "Content-Type: application/json" -d @opensearch-template.json -``` - -Notes: -- PUT and POST are interchangeable. -- The name of the index template does not matter. Any name can be used. -- Adjust credentials and URL accordingly. - -### Adding new mappings - -The easiest way to create mappings for a new module is to take a previous one as a base. -Copy a folder and rename it to the new module name. Then, edit the `fields` files to match the new module fields. - -The name of the folder will be the name of the module to be passed to the script. All 3 files are required. - -- `fields/subset.yml`: This file contains the subset of ECS fields to be used for the module. -- `fields/template-settings-legacy.json`: This file contains the legacy template settings for the module. -- `fields/template-settings.json`: This file contains the composable template settings for the module. - -### Event generator - -Each module contains a Python script to generate events for its module. The script prompts for the required parameters, so it can be launched without arguments: - -```bash -./event_generator.py -``` - -The script will generate a JSON file with the events, and will also ask whether to upload them to the indexer. If the upload option is selected, the script will ask for the indexer URL and port, credentials, and index name. -The script uses log file. Check it out for debugging or additional information. - ---- - -### Automatic PR creation tool - -The `generate-pr-to-plugins.sh` script found in the `ecs/scripts` folder is a tool that detects modified ECS modules, generates new templates, commits the changes to a target repository, and creates or updates a pull request. - -#### Requirements - -- Docker Compose -- GitHub CLI (`gh`) - -#### Usage - -To use the script, run the following command: - -```sh -./update-ecs-templates.sh -t -``` - -**Options** - -- `-b `: (Optional) Branch name to create or update the pull request. Default is current branch. -- `-t `: (Optional) GitHub token to authenticate with the GitHub API. If not provided, the script will use the `GITHUB_TOKEN` environment variable. - -#### Script Workflow - -1. **Validate Dependencies** - - Checks if the required commands (`docker`, `docker-compose`, and `gh`) are installed. - -2. **Detect Modified Modules** - - Fetches and extracts modified ECS modules by comparing the current branch with the base branch. - - Identifies relevant ECS modules that have been modified. - -3. **Run ECS Generator** - - Runs the ECS generator script for each relevant module to generate new ECS templates. - -4. **Clone Target Repository** - - Clones the target repository (`wazuh/wazuh-indexer-plugins`) if it does not already exist. - - Configures Git and GitHub CLI with the provided GitHub token. - -5. **Commit and Push Changes** - - Copies the generated ECS templates to the appropriate directory in the target repository. - - Commits and pushes the changes to the specified branch. - -6. **Create or Update Pull Request** - - Creates a new pull request or updates an existing pull request with the modified ECS templates. - -#### References - -- [ECS repository](https://github.com/elastic/ecs) -- [ECS usage](https://github.com/elastic/ecs/blob/main/USAGE.md) -- [ECS field reference](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html) diff --git a/ecs/agent/event-generator/event_generator.py b/ecs/agent/event-generator/event_generator.py deleted file mode 100644 index 32743e2665c79..0000000000000 --- a/ecs/agent/event-generator/event_generator.py +++ /dev/null @@ -1,182 +0,0 @@ -#!/bin/python3 - -import datetime -import json -import logging -import random -import requests -import urllib3 - -# Constants and Configuration -LOG_FILE = 'generate_data.log' -GENERATED_DATA_FILE = 'generatedData.json' -DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" -# Default values -INDEX_NAME = "wazuh-agents" -USERNAME = "admin" -PASSWORD = "admin" -IP = "127.0.0.1" -PORT = "9200" - -# Configure logging -logging.basicConfig(filename=LOG_FILE, level=logging.INFO) - -# Suppress warnings -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - - -def generate_random_date(): - start_date = datetime.datetime.now() - end_date = start_date - datetime.timedelta(days=10) - random_date = start_date + (end_date - start_date) * random.random() - return random_date.strftime(DATE_FORMAT) - - -def generate_random_agent(): - agent = { - 'id': f'agent{random.randint(0, 99)}', - 'name': f'Agent{random.randint(0, 99)}', - 'type': random.choice(['filebeat', 'windows', 'linux', 'macos']), - 'version': f'v{random.randint(0, 9)}-stable', - 'status': random.choice(['active', 'inactive']), - 'last_login': generate_random_date(), - 'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'], - 'key': f'key{random.randint(0, 999)}', - 'host': generate_random_host() - } - return agent - - -def generate_random_host(): - family = random.choice( - ['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']) - version = f'{random.randint(0, 99)}.{random.randint(0, 99)}' - host = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'boot': { - 'id': f'boot{random.randint(0, 9999)}' - }, - 'cpu': { - 'usage': random.uniform(0, 100) - }, - 'disk': { - 'read': { - 'bytes': random.randint(0, 1000000) - }, - 'write': { - 'bytes': random.randint(0, 1000000) - } - }, - 'domain': f'domain{random.randint(0, 999)}', - 'geo': { - 'city_name': random.choice(['San Francisco', 'New York', 'Berlin', 'Tokyo']), - 'continent_code': random.choice(['NA', 'EU', 'AS']), - 'continent_name': random.choice(['North America', 'Europe', 'Asia']), - 'country_iso_code': random.choice(['US', 'DE', 'JP']), - 'country_name': random.choice(['United States', 'Germany', 'Japan']), - 'location': { - 'lat': round(random.uniform(-90.0, 90.0), 6), - 'lon': round(random.uniform(-180.0, 180.0), 6) - }, - 'name': f'geo{random.randint(0, 999)}', - 'postal_code': f'{random.randint(10000, 99999)}', - 'region_iso_code': f'region{random.randint(0, 999)}', - 'region_name': f'Region {random.randint(0, 999)}', - 'timezone': random.choice(['PST', 'EST', 'CET', 'JST']) - }, - 'hostname': f'host{random.randint(0, 9999)}', - 'id': f'hostid{random.randint(0, 9999)}', - 'ip': f'{random.randint(1, 255)}.{random.randint(1, 255)}.{random.randint(1, 255)}.{random.randint(1, 255)}', - 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', - 'name': f'hostname{random.randint(0, 9999)}', - 'network': { - 'egress': { - 'bytes': random.randint(0, 1000000), - 'packets': random.randint(0, 1000000) - }, - 'ingress': { - 'bytes': random.randint(0, 1000000), - 'packets': random.randint(0, 1000000) - } - }, - 'os': { - 'family': family, - 'full': f'{family} {version}', - 'kernel': f'kernel{random.randint(0, 999)}', - 'name': family, - 'platform': random.choice(['linux', 'windows', 'macos']), - 'type': family, - 'version': version - }, - 'pid_ns_ino': f'{random.randint(1000000, 9999999)}', - 'risk': { - 'calculated_level': random.choice(['low', 'medium', 'high']), - 'calculated_score': random.uniform(0, 100), - 'calculated_score_norm': random.uniform(0, 1), - 'static_level': random.choice(['low', 'medium', 'high']), - 'static_score': random.uniform(0, 100), - 'static_score_norm': random.uniform(0, 1) - }, - 'uptime': random.randint(0, 1000000) - } - return host - - -def generate_random_data(number): - data = [] - for _ in range(number): - event_data = { - 'agent': generate_random_agent() - } - data.append(event_data) - return data - - -def inject_events(ip, port, index, username, password, data): - url = f'https://{ip}:{port}/{index}/_doc' - session = requests.Session() - session.auth = (username, password) - session.verify = False - headers = {'Content-Type': 'application/json'} - - try: - for event_data in data: - response = session.post(url, json=event_data, headers=headers) - if response.status_code != 201: - logging.error(f'Error: {response.status_code}') - logging.error(response.text) - break - logging.info('Data injection completed successfully.') - except Exception as e: - logging.error(f'Error: {str(e)}') - - -def main(): - try: - number = int(input("How many events do you want to generate? ")) - except ValueError: - logging.error("Invalid input. Please enter a valid number.") - return - - logging.info(f"Generating {number} events...") - data = generate_random_data(number) - - with open(GENERATED_DATA_FILE, 'a') as outfile: - for event_data in data: - json.dump(event_data, outfile) - outfile.write('\n') - - logging.info('Data generation completed.') - - inject = input("Do you want to inject the generated data into your indexer? (y/n) ").strip().lower() - if inject == 'y': - ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP - port = input(f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT - index = input(f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME - username = input(f"Username (default: '{USERNAME}'): ") or USERNAME - password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD - inject_events(ip, port, index, username, password, data) - - -if __name__ == "__main__": - main() diff --git a/ecs/agent/fields/custom/agent.yml b/ecs/agent/fields/custom/agent.yml deleted file mode 100644 index 03aa894c9d385..0000000000000 --- a/ecs/agent/fields/custom/agent.yml +++ /dev/null @@ -1,32 +0,0 @@ ---- -- name: agent - title: Wazuh Agents - short: Wazuh Inc. custom fields. - type: group - group: 2 - fields: - - name: groups - type: keyword - level: custom - description: > - List of groups the agent belong to. - - name: key - type: keyword - level: custom - description: > - The registration key of the agent. - - name: last_login - type: date - level: custom - description: > - The last time the agent logged in. - - name: status - type: keyword - level: custom - description: > - Agents' interpreted connection status depending on `agent.last_login`. - allowed_values: - - name: active - description: Active agent status - - name: disconnected - description: Disconnected agent status \ No newline at end of file diff --git a/ecs/agent/fields/custom/host.yml b/ecs/agent/fields/custom/host.yml deleted file mode 100644 index 4398a5d791e6a..0000000000000 --- a/ecs/agent/fields/custom/host.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: host - reusable: - top_level: false - expected: - - agent \ No newline at end of file diff --git a/ecs/agent/fields/custom/os.yml b/ecs/agent/fields/custom/os.yml deleted file mode 100644 index 952c2d6e93a40..0000000000000 --- a/ecs/agent/fields/custom/os.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: os - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/agent/fields/custom/risk.yml b/ecs/agent/fields/custom/risk.yml deleted file mode 100644 index 1c06213bc6205..0000000000000 --- a/ecs/agent/fields/custom/risk.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: risk - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/agent/fields/mapping-settings.json b/ecs/agent/fields/mapping-settings.json deleted file mode 100644 index 0ad2b48fcc1be..0000000000000 --- a/ecs/agent/fields/mapping-settings.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "dynamic": "strict", - "date_detection": false -} \ No newline at end of file diff --git a/ecs/agent/fields/subset.yml b/ecs/agent/fields/subset.yml deleted file mode 100644 index 93442c30b420c..0000000000000 --- a/ecs/agent/fields/subset.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -name: agent -fields: - base: - fields: - tags: [] - agent: - fields: - id: {} - name: {} - type: {} - version: {} - groups: {} - key: {} - last_login: {} - status: {} - host: - fields: "*" \ No newline at end of file diff --git a/ecs/agent/fields/template-settings-legacy.json b/ecs/agent/fields/template-settings-legacy.json deleted file mode 100644 index 9f32141d95b23..0000000000000 --- a/ecs/agent/fields/template-settings-legacy.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "index_patterns": [ - "wazuh-agents*" - ], - "order": 1, - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "agent.name", - "host.os.full", - "host.ip" - ] - } - } -} diff --git a/ecs/agent/fields/template-settings.json b/ecs/agent/fields/template-settings.json deleted file mode 100644 index 610687b43595d..0000000000000 --- a/ecs/agent/fields/template-settings.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "index_patterns": [ - "wazuh-agents*" - ], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "agent.name", - "host.os.full", - "host.ip" - ] - } - } - } -} diff --git a/ecs/alerts/fields/custom/agent.yml b/ecs/alerts/fields/custom/agent.yml deleted file mode 100644 index 9feecf4e2da98..0000000000000 --- a/ecs/alerts/fields/custom/agent.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: agent - title: Wazuh Agents - short: Wazuh Inc. custom fields. - type: group - group: 2 - fields: - - name: groups - type: keyword - level: custom - description: > - List of groups the agent belong to. diff --git a/ecs/alerts/fields/custom/host.yml b/ecs/alerts/fields/custom/host.yml deleted file mode 100644 index a0356d13da657..0000000000000 --- a/ecs/alerts/fields/custom/host.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: host - reusable: - top_level: true - expected: - - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/alerts/fields/custom/os.yml b/ecs/alerts/fields/custom/os.yml deleted file mode 100644 index 952c2d6e93a40..0000000000000 --- a/ecs/alerts/fields/custom/os.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: os - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/alerts/fields/custom/risk.yml b/ecs/alerts/fields/custom/risk.yml deleted file mode 100644 index 1c06213bc6205..0000000000000 --- a/ecs/alerts/fields/custom/risk.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: risk - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/alerts/fields/mapping-settings.json b/ecs/alerts/fields/mapping-settings.json deleted file mode 100644 index f176a1c52e87f..0000000000000 --- a/ecs/alerts/fields/mapping-settings.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "dynamic": true, - "date_detection": false -} diff --git a/ecs/alerts/fields/subset.yml b/ecs/alerts/fields/subset.yml deleted file mode 100644 index 8e9508407de7f..0000000000000 --- a/ecs/alerts/fields/subset.yml +++ /dev/null @@ -1,603 +0,0 @@ ---- -name: main -fields: - base: - fields: "*" - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - as: - fields: "*" - client: - fields: - address: {} - as: - fields: "*" - bytes: {} - domain: {} - geo: - fields: "*" - ip: {} - mac: {} - nat: - fields: - ip: {} - port: {} - packets: {} - port: {} - subdomain: {} - registered_domain: {} - top_level_domain: {} - user: - fields: - domain: {} - email: {} - full_name: {} - group: - fields: "*" - hash: {} - id: {} - name: {} - roles: {} - cloud: - fields: "*" - code_signature: - fields: "*" - container: - fields: "*" - data_stream: - fields: "*" - destination: - fields: - address: {} - as: - fields: "*" - bytes: {} - domain: {} - geo: - fields: "*" - ip: {} - mac: {} - nat: - fields: - ip: {} - port: {} - packets: {} - port: {} - subdomain: {} - registered_domain: {} - top_level_domain: {} - user: - fields: - domain: {} - email: {} - full_name: {} - group: - fields: "*" - hash: {} - id: {} - name: {} - roles: {} - device: - fields: "*" - dll: - fields: "*" - dns: - fields: "*" - ecs: - fields: "*" - elf: - fields: "*" - email: - fields: "*" - error: - fields: "*" - event: - fields: "*" - faas: - fields: "*" - file: - fields: "*" - geo: - fields: "*" - group: - fields: "*" - hash: - fields: "*" - host: - fields: "*" - http: - fields: "*" - interface: - fields: "*" - log: - fields: "*" - macho: - fields: "*" - network: - fields: "*" - observer: - fields: "*" - orchestrator: - fields: "*" - organization: - fields: "*" - os: - fields: "*" - package: - fields: "*" - pe: - fields: "*" - process: - fields: - args: {} - args_count: {} - code_signature: - fields: "*" - command_line: {} - elf: - fields: "*" - end: {} - entity_id: {} - entry_leader: - fields: - args: {} - args_count: {} - command_line: {} - entity_id: {} - entry_meta: - fields: - type: {} - source: - fields: - ip: {} - executable: {} - interactive: {} - name: {} - parent: - fields: - entity_id: {} - pid: {} - vpid: {} - start: {} - session_leader: - fields: - entity_id: {} - pid: {} - vpid: {} - start: {} - pid: {} - vpid: {} - same_as_process: {} - start: {} - tty: - fields: - char_device: - fields: - major: {} - minor: {} - working_directory: {} - user: - fields: - id: {} - name: {} - real_user: - fields: - id: {} - name: {} - saved_user: - fields: - id: {} - name: {} - group: - fields: - id: {} - name: {} - real_group: - fields: - id: {} - name: {} - saved_group: - fields: - id: {} - name: {} - supplemental_groups: - fields: - id: {} - name: {} - attested_user: - fields: - id: {} - name: {} - attested_groups: - fields: - name: {} - entry_meta: - fields: - type: - docs_only: True - env_vars: {} - executable: {} - exit_code: {} - group_leader: - fields: - args: {} - args_count: {} - command_line: {} - entity_id: {} - executable: {} - interactive: {} - name: {} - pid: {} - vpid: {} - same_as_process: {} - start: {} - tty: - fields: - char_device: - fields: - major: {} - minor: {} - working_directory: {} - user: - fields: - id: {} - name: {} - real_user: - fields: - id: {} - name: {} - saved_user: - fields: - id: {} - name: {} - group: - fields: - id: {} - name: {} - real_group: - fields: - id: {} - name: {} - saved_group: - fields: - id: {} - name: {} - supplemental_groups: - fields: - id: {} - name: {} - hash: - fields: "*" - interactive: {} - io: - fields: "*" - macho: - fields: "*" - name: {} - parent: - fields: - args: {} - args_count: {} - code_signature: - fields: "*" - command_line: {} - elf: - fields: "*" - end: {} - entity_id: {} - executable: {} - exit_code: {} - group_leader: - fields: - entity_id: {} - pid: {} - vpid: {} - start: {} - hash: - fields: "*" - interactive: {} - macho: - fields: "*" - name: {} - pe: - fields: "*" - pgid: {} - pid: {} - vpid: {} - start: {} - thread: - fields: - id: {} - name: {} - capabilities: - fields: - effective: {} - permitted: {} - title: {} - tty: - fields: - char_device: - fields: - major: {} - minor: {} - uptime: {} - working_directory: {} - user: - fields: - id: {} - name: {} - real_user: - fields: - id: {} - name: {} - saved_user: - fields: - id: {} - name: {} - group: - fields: - id: {} - name: {} - real_group: - fields: - id: {} - name: {} - saved_group: - fields: - id: {} - name: {} - supplemental_groups: - fields: - id: {} - name: {} - pe: - fields: "*" - pgid: {} - pid: {} - vpid: {} - previous: - fields: - args: {} - args_count: {} - executable: {} - real_group: - fields: - id: {} - name: {} - real_user: - fields: - id: {} - name: {} - same_as_process: - docs_only: True - saved_group: - fields: - id: {} - name: {} - saved_user: - fields: - id: {} - name: {} - start: {} - supplemental_groups: - fields: - id: {} - name: {} - session_leader: - fields: - args: {} - args_count: {} - command_line: {} - entity_id: {} - executable: {} - interactive: {} - name: {} - pid: {} - vpid: {} - same_as_process: {} - start: {} - tty: - fields: - char_device: - fields: - major: {} - minor: {} - working_directory: {} - parent: - fields: - entity_id: {} - pid: {} - vpid: {} - start: {} - session_leader: - fields: - entity_id: {} - pid: {} - vpid: {} - start: {} - user: - fields: - id: {} - name: {} - real_user: - fields: - id: {} - name: {} - saved_user: - fields: - id: {} - name: {} - group: - fields: - id: {} - name: {} - real_group: - fields: - id: {} - name: {} - saved_group: - fields: - id: {} - name: {} - supplemental_groups: - fields: - id: {} - name: {} - thread: - fields: - id: {} - name: {} - capabilities: - fields: - effective: {} - permitted: {} - title: {} - tty: - fields: "*" - uptime: {} - user: - fields: - id: {} - name: {} - working_directory: {} - registry: - fields: "*" - related: - fields: "*" - risk: - fields: "*" - rule: - fields: "*" - server: - fields: - address: {} - as: - fields: "*" - bytes: {} - domain: {} - geo: - fields: "*" - ip: {} - mac: {} - nat: - fields: - ip: {} - port: {} - packets: {} - port: {} - subdomain: {} - registered_domain: {} - top_level_domain: {} - user: - fields: - domain: {} - email: {} - full_name: {} - group: - fields: "*" - hash: {} - id: {} - name: {} - roles: {} - service: - fields: "*" - source: - fields: - address: {} - as: - fields: "*" - bytes: {} - domain: {} - geo: - fields: "*" - ip: {} - mac: {} - nat: - fields: - ip: {} - port: {} - packets: {} - port: {} - subdomain: {} - registered_domain: {} - top_level_domain: {} - user: - fields: - domain: {} - email: {} - full_name: {} - group: - fields: "*" - hash: {} - id: {} - name: {} - roles: {} - threat: - fields: "*" - tls: - fields: "*" - tracing: - fields: "*" - url: - fields: "*" - user_agent: - fields: "*" - user: - fields: - changes: - fields: - domain: {} - email: {} - group: - fields: "*" - full_name: {} - hash: {} - id: {} - name: {} - roles: {} - domain: {} - effective: - fields: - domain: {} - email: {} - group: - fields: "*" - full_name: {} - hash: {} - id: {} - name: {} - roles: {} - email: {} - group: - fields: "*" - full_name: {} - hash: {} - id: {} - name: {} - risk: - fields: "*" - roles: {} - target: - fields: - domain: {} - email: {} - group: - fields: "*" - full_name: {} - hash: {} - id: {} - name: {} - roles: {} - vlan: - fields: "*" - vulnerability: - fields: "*" - x509: - fields: "*" \ No newline at end of file diff --git a/ecs/alerts/fields/template-settings-legacy.json b/ecs/alerts/fields/template-settings-legacy.json deleted file mode 100644 index 54aac2ceaf55c..0000000000000 --- a/ecs/alerts/fields/template-settings-legacy.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "index_patterns": [ - "wazuh-alerts-5.x-*" - ], - "order": 1, - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "mapping": { - "total_fields": { - "limit": 2500 - } - } - } - } -} \ No newline at end of file diff --git a/ecs/alerts/fields/template-settings.json b/ecs/alerts/fields/template-settings.json deleted file mode 100644 index 9982494c55ca2..0000000000000 --- a/ecs/alerts/fields/template-settings.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "index_patterns": [ - "wazuh-alerts-5.x-*" - ], - "priority": 1, - "template": { - "settings": { - "index": { - "mapping": { - "total_fields": { - "limit": 2500 - } - }, - "refresh_interval": "5s" - } - } - } -} \ No newline at end of file diff --git a/ecs/command/event-generator/event_generator.py b/ecs/command/event-generator/event_generator.py deleted file mode 100644 index 316f888e5745b..0000000000000 --- a/ecs/command/event-generator/event_generator.py +++ /dev/null @@ -1,165 +0,0 @@ -#!/bin/python3 - -import argparse -import datetime -import json -import logging -import random -import requests -import urllib3 -import uuid - -LOG_FILE = 'generate_data.log' -GENERATED_DATA_FILE = 'generatedData.json' -DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" -# Default values -INDEX_NAME = "wazuh-commands" -USERNAME = "admin" -PASSWORD = "admin" -IP = "127.0.0.1" -PORT = "9200" - -# Configure logging -logging.basicConfig(filename=LOG_FILE, level=logging.INFO) - -# Suppress warnings -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - - -def generate_random_date(initial_date=None, days_range=30): - if initial_date is None: - initial_date = datetime.datetime.now(datetime.timezone.utc) - random_days = random.randint(0, days_range) - new_timestamp = initial_date + datetime.timedelta(days=random_days) - return new_timestamp.strftime('%Y-%m-%dT%H:%M:%SZ') - - -def generate_random_command(include_all_fields=False): - command = { - "source": random.choice(["Users/Services", "Engine", "Content manager"]), - "user": f"user{random.randint(1, 100)}", - "target": { - "id": f"target{random.randint(1, 10)}", - "type": random.choice(["agent", "group", "server"]) - }, - "action": { - "name": random.choice(["restart", "update","change_group", "apply_policy"]), - "args": { "arg1": f"/path/to/executable/arg{random.randint(1, 10)}"}, - "version": f"v{random.randint(1, 5)}" - }, - "timeout": random.randint(10, 100) - } - if include_all_fields: - document = { - "@timestamp": generate_random_date(), - "delivery_timestamp": generate_random_date(), - "agent": {"groups": [f"group{random.randint(1, 5)}"]}, - "command": { - **command, - "status": random.choice(["pending", "sent", "success", "failure"]), - "result": { - "code": random.randint(0, 255), - "message": f"Result message {random.randint(1, 1000)}", - "data": f"Result data {random.randint(1, 100)}" - }, - "request_id": str(uuid.uuid4()), - "order_id": str(uuid.uuid4()) - } - } - return document - - return command - - -def generate_random_data(number, include_all_fields=False): - data = [] - for _ in range(number): - data.append(generate_random_command(include_all_fields)) - if not include_all_fields: - return {"commands": data} - return data - - -def inject_events(protocol, ip, port, index, username, password, data, use_index=False): - try: - if not use_index: - # Use the command-manager API - url = f'{protocol}://{ip}:{port}/_plugins/_command_manager/commands' - send_post_request(username, password, url, data) - return - for event_data in data: - # Generate UUIDs for the document id - doc_id = str(uuid.uuid4()) - url = f'{protocol}://{ip}:{port}/{index}/_doc/{doc_id}' - send_post_request(username, password, url, event_data) - logging.info('Data injection completed successfully.') - except Exception as e: - logging.error(f'Error: {str(e)}') - - -def send_post_request(username, password, url, event_data): - session = requests.Session() - session.auth = (username, password) - session.verify = False - headers = {'Content-Type': 'application/json'} - # Send request - response = session.post(url, data=json.dumps(event_data), headers=headers) - if response.status_code not in [201, 200]: - logging.error(f'Error: {response.status_code}') - logging.error(response.text) - return response - - -def main(): - parser = argparse.ArgumentParser( - description="Generate and optionally inject events into an OpenSearch index or Command Manager." - ) - parser.add_argument( - "--index", - action="store_true", - help="Generate additional fields for indexing and inject into a specific index." - ) - parser.add_argument( - "--protocol", - choices=['http', 'https'], - default='https', - help="Specify the protocol to use: http or https." - ) - args = parser.parse_args() - - try: - number = int(input("How many events do you want to generate? ")) - except ValueError: - logging.error("Invalid input. Please enter a valid number.") - return - - logging.info(f"Generating {number} events...") - data = generate_random_data(number, include_all_fields=args.index) - - with open(GENERATED_DATA_FILE, 'a') as outfile: - json.dump(data, outfile) - outfile.write('\n') - - logging.info('Data generation completed.') - - inject = input( - "Do you want to inject the generated data into your indexer/command manager? (y/n) " - ).strip().lower() - if inject == 'y': - ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP - port = input(f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT - - if args.index: - index = input(f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME - else: - index = None - - username = input(f"Username (default: '{USERNAME}'): ") or USERNAME - password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD - - inject_events(args.protocol, ip, port, index, username, password, - data, use_index=bool(args.index)) - - -if __name__ == "__main__": - main() diff --git a/ecs/command/fields/custom/agent.yml b/ecs/command/fields/custom/agent.yml deleted file mode 100644 index fd3cb2e6c41c9..0000000000000 --- a/ecs/command/fields/custom/agent.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: agent - title: Wazuh Agents - short: Wazuh Inc. custom fields. - type: group - group: 2 - fields: - - name: groups - type: keyword - level: custom - description: > - List of groups the agent belong to. \ No newline at end of file diff --git a/ecs/command/fields/custom/base.yml b/ecs/command/fields/custom/base.yml deleted file mode 100644 index a55b964085f7a..0000000000000 --- a/ecs/command/fields/custom/base.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: base - title: Wazuh base fields - root: true - fields: - - name: delivery_timestamp - type: date - level: custom - description: > - The latest date-time for the command to be delivered. Calculated as the current timestamp plus the timeout. diff --git a/ecs/command/fields/custom/command.yml b/ecs/command/fields/custom/command.yml deleted file mode 100644 index c19228d60f775..0000000000000 --- a/ecs/command/fields/custom/command.yml +++ /dev/null @@ -1,79 +0,0 @@ ---- -- name: command - title: Wazuh commands - short: Wazuh Inc. custom fields. - description: > - This index stores information about the Wazuh's commands. These commands can be sent to agents or Wazuh servers. - type: group - group: 2 - fields: - - name: source - type: keyword - level: custom - description: > - Origin of the request. - - name: user - type: keyword - level: custom - description: > - The user that originated the request. - - name: target.id - type: keyword - level: custom - description: > - Unique identifier of the destination to send the command to. - - name: target.type - type: keyword - level: custom - description: > - The destination type. One of [`group`, `agent`, `server`] - - name: action.name - type: keyword - level: custom - description: > - The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ... - - name: action.args - type: object - level: custom - description: > - Command arguments object. - - name: action.version - type: keyword - level: custom - description: > - Version of the command's schema. - - name: timeout - type: short - level: custom - description: > - Seconds in which the command has to be sent to its target. - - name: status - type: keyword - level: custom - description: > - Status within the Command Manager's context. One of ['pending', 'sent', 'success', 'failure']. - - name: result.code - type: short - level: custom - description: > - Status code returned by the target. - - name: result.message - type: keyword - level: custom - description: > - Result message returned by the target. - - name: result.data - type: keyword - level: custom - description: > - Result data returned by the target. - - name: request_id - type: keyword - level: custom - description: > - UUID generated by the Command Manager. - - name: order_id - type: keyword - level: custom - description: > - UUID generated by the Command Manager. diff --git a/ecs/command/fields/mapping-settings.json b/ecs/command/fields/mapping-settings.json deleted file mode 100644 index 4c187abd62e87..0000000000000 --- a/ecs/command/fields/mapping-settings.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "dynamic": "true", - "date_detection": false -} diff --git a/ecs/command/fields/subset.yml b/ecs/command/fields/subset.yml deleted file mode 100644 index 7c16f42fba49e..0000000000000 --- a/ecs/command/fields/subset.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -name: command -fields: - base: - fields: - tags: [] - "@timestamp": {} - "delivery_timestamp": {} - agent: - fields: - groups: {} - command: - fields: "*" diff --git a/ecs/command/fields/template-settings-legacy.json b/ecs/command/fields/template-settings-legacy.json deleted file mode 100644 index 1223dfb62db58..0000000000000 --- a/ecs/command/fields/template-settings-legacy.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "index_patterns": ["wazuh-commands*"], - "order": 1, - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "command.source", - "command.target.type", - "command.status", - "command.action.name" - ] - } - } -} diff --git a/ecs/command/fields/template-settings.json b/ecs/command/fields/template-settings.json deleted file mode 100644 index b773aee50d87c..0000000000000 --- a/ecs/command/fields/template-settings.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "index_patterns": [ - "wazuh-commands*" - ], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "command.source", - "command.target.type", - "command.status", - "command.action.name" - ] - } - } - } -} diff --git a/ecs/docs/README.md b/ecs/docs/README.md deleted file mode 100644 index a94635cbce67b..0000000000000 --- a/ecs/docs/README.md +++ /dev/null @@ -1,22 +0,0 @@ -# Wazuh Common Schema - -The Wazuh Common Schema is a derivation of the [Elastic Common Schema](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html) (ECS) providing a common data schema for the different central components of Wazuh. - -- [agent](./agent.md) -- [alerts](alerts.md) -- [command](commands.md) -- [states-fim](states-fim.md) -- [states-inventory-hardware](states-inventory-hardware.md) -- [states-inventory-hotfixes](states-inventory-hotfixes.md) -- [states-inventory-networks](states-inventory-networks.md) -- [states-inventory-packages](states-inventory-packages.md) -- [states-inventory-ports](states-inventory-ports.md) -- [states-inventory-processes](states-inventory-processes.md) -- [states-inventory-system](states-inventory-system.md) -- [states-vulnerabilities](states-vulnerabilities.md) - ---- - -### Useful resources -For more information and additional resources, please refer to the following links: -- [ECS schemas repository](https://github.com/elastic/ecs/tree/main/schemas) diff --git a/ecs/docs/agents.md b/ecs/docs/agents.md deleted file mode 100644 index 135c081fbb00a..0000000000000 --- a/ecs/docs/agents.md +++ /dev/null @@ -1,108 +0,0 @@ -## `agents` index data model - -### Fields summary - -The fields are based on https://github.com/wazuh/wazuh/issues/23396#issuecomment-2176402993 - -Based on ECS [Agent Fields](https://www.elastic.co/guide/en/ecs/current/ecs-agent.html). - -| | Field | Type | Description | Example | -| --- | -------------------- | ------- | ---------------------------------------------------------------------- | ---------------------------------- | -| | `agent.id` | keyword | Unique identifier of this agent. | `8a4f500d` | -| | `agent.name` | keyword | Custom name of the agent. | `foo` | -| \* | `agent.groups` | keyword | List of groups the agent belong to. | `["group1", "group2"]` | -| \* | `agent.key` | keyword | The registration key of the agent. | `BfDbq0PpcLl9iWatJjY1shGvuQ4KXyOR` | -| | `agent.type` | keyword | Type of agent. | `endpoint` | -| | `agent.version` | keyword | Version of the agent. | `6.0.0-rc2` | -| \* | `agent.is_connected` | boolean | Agents' interpreted connection status depending on `agent.last_login`. | | -| \* | `agent.last_login` | date | The last time the agent logged in. | `11/11/2024 00:00:00` | -| | `host.ip` | ip | Host IP addresses. Note: this field should contain an array of values. | `["192.168.56.11", "10.54.27.1"]` | -| | `host.os.full` | keyword | Operating system name, including the version or code name. | `Mac OS Mojave` | - -\* Custom field. - -### ECS mapping - -```yml ---- -name: agent -fields: - base: - fields: - tags: [] - agent: - fields: - id: {} - name: {} - type: {} - version: {} - groups: {} - key: {} - last_login: {} - is_connected: {} - host: - fields: - ip: {} - os: - fields: - full: {} -``` - -```yml ---- ---- -- name: agent - title: Wazuh Agents - short: Wazuh Inc. custom fields. - type: group - group: 2 - fields: - - name: groups - type: keyword - level: custom - description: > - The groups the agent belongs to. - - name: key - type: keyword - level: custom - description: > - The agent's registration key. - - name: last_login - type: date - level: custom - description: > - The agent's last login. - - name: is_connected - type: boolean - level: custom - description: > - Agents' interpreted connection status depending on `agent.last_login`. -``` - -### Index settings - -```json -{ - "index_patterns": ["wazuh-agents*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "agent.name", - "agent.type", - "agent.version", - "agent.name", - "host.os.full", - "host.ip" - ] - } - } - } -} -``` diff --git a/ecs/docs/alerts.md b/ecs/docs/alerts.md deleted file mode 100644 index dfe644ce40dc0..0000000000000 --- a/ecs/docs/alerts.md +++ /dev/null @@ -1,644 +0,0 @@ -## `wazuh-alerts-5.x` time series index - -Stateless index. - -### Fields summary - -For this stage, we are using all the fields of the ECS. No custom fields are used. As a result, we are using the default mapping of the ECS. - -- [ECS main mappings](https://github.com/elastic/ecs/blob/v8.11.0/schemas/subsets/main.yml) - -The generated template must match [this one](https://github.com/elastic/ecs/blob/v8.11.0/generated/elasticsearch/legacy/template.json). - -### ECS mapping - -```yml ---- -name: main -fields: - base: - fields: "*" - agent: - fields: "*" - as: - fields: "*" - client: - fields: - address: {} - as: - fields: "*" - bytes: {} - domain: {} - geo: - fields: "*" - ip: {} - mac: {} - nat: - fields: - ip: {} - port: {} - packets: {} - port: {} - subdomain: {} - registered_domain: {} - top_level_domain: {} - user: - fields: - domain: {} - email: {} - full_name: {} - group: - fields: "*" - hash: {} - id: {} - name: {} - roles: {} - cloud: - fields: "*" - code_signature: - fields: "*" - container: - fields: "*" - data_stream: - fields: "*" - destination: - fields: - address: {} - as: - fields: "*" - bytes: {} - domain: {} - geo: - fields: "*" - ip: {} - mac: {} - nat: - fields: - ip: {} - port: {} - packets: {} - port: {} - subdomain: {} - registered_domain: {} - top_level_domain: {} - user: - fields: - domain: {} - email: {} - full_name: {} - group: - fields: "*" - hash: {} - id: {} - name: {} - roles: {} - device: - fields: "*" - dll: - fields: "*" - dns: - fields: "*" - ecs: - fields: "*" - elf: - fields: "*" - email: - fields: "*" - error: - fields: "*" - event: - fields: "*" - faas: - fields: "*" - file: - fields: "*" - geo: - fields: "*" - group: - fields: "*" - hash: - fields: "*" - host: - fields: "*" - http: - fields: "*" - interface: - fields: "*" - log: - fields: "*" - macho: - fields: "*" - network: - fields: "*" - observer: - fields: "*" - orchestrator: - fields: "*" - organization: - fields: "*" - os: - fields: "*" - package: - fields: "*" - pe: - fields: "*" - process: - fields: - args: {} - args_count: {} - code_signature: - fields: "*" - command_line: {} - elf: - fields: "*" - end: {} - entity_id: {} - entry_leader: - fields: - args: {} - args_count: {} - command_line: {} - entity_id: {} - entry_meta: - fields: - type: {} - source: - fields: - ip: {} - executable: {} - interactive: {} - name: {} - parent: - fields: - entity_id: {} - pid: {} - vpid: {} - start: {} - session_leader: - fields: - entity_id: {} - pid: {} - vpid: {} - start: {} - pid: {} - vpid: {} - same_as_process: {} - start: {} - tty: - fields: - char_device: - fields: - major: {} - minor: {} - working_directory: {} - user: - fields: - id: {} - name: {} - real_user: - fields: - id: {} - name: {} - saved_user: - fields: - id: {} - name: {} - group: - fields: - id: {} - name: {} - real_group: - fields: - id: {} - name: {} - saved_group: - fields: - id: {} - name: {} - supplemental_groups: - fields: - id: {} - name: {} - attested_user: - fields: - id: {} - name: {} - attested_groups: - fields: - name: {} - entry_meta: - fields: - type: - docs_only: True - env_vars: {} - executable: {} - exit_code: {} - group_leader: - fields: - args: {} - args_count: {} - command_line: {} - entity_id: {} - executable: {} - interactive: {} - name: {} - pid: {} - vpid: {} - same_as_process: {} - start: {} - tty: - fields: - char_device: - fields: - major: {} - minor: {} - working_directory: {} - user: - fields: - id: {} - name: {} - real_user: - fields: - id: {} - name: {} - saved_user: - fields: - id: {} - name: {} - group: - fields: - id: {} - name: {} - real_group: - fields: - id: {} - name: {} - saved_group: - fields: - id: {} - name: {} - supplemental_groups: - fields: - id: {} - name: {} - hash: - fields: "*" - interactive: {} - io: - fields: "*" - macho: - fields: "*" - name: {} - parent: - fields: - args: {} - args_count: {} - code_signature: - fields: "*" - command_line: {} - elf: - fields: "*" - end: {} - entity_id: {} - executable: {} - exit_code: {} - group_leader: - fields: - entity_id: {} - pid: {} - vpid: {} - start: {} - hash: - fields: "*" - interactive: {} - macho: - fields: "*" - name: {} - pe: - fields: "*" - pgid: {} - pid: {} - vpid: {} - start: {} - thread: - fields: - id: {} - name: {} - capabilities: - fields: - effective: {} - permitted: {} - title: {} - tty: - fields: - char_device: - fields: - major: {} - minor: {} - uptime: {} - working_directory: {} - user: - fields: - id: {} - name: {} - real_user: - fields: - id: {} - name: {} - saved_user: - fields: - id: {} - name: {} - group: - fields: - id: {} - name: {} - real_group: - fields: - id: {} - name: {} - saved_group: - fields: - id: {} - name: {} - supplemental_groups: - fields: - id: {} - name: {} - pe: - fields: "*" - pgid: {} - pid: {} - vpid: {} - previous: - fields: - args: {} - args_count: {} - executable: {} - real_group: - fields: - id: {} - name: {} - real_user: - fields: - id: {} - name: {} - same_as_process: - docs_only: True - saved_group: - fields: - id: {} - name: {} - saved_user: - fields: - id: {} - name: {} - start: {} - supplemental_groups: - fields: - id: {} - name: {} - session_leader: - fields: - args: {} - args_count: {} - command_line: {} - entity_id: {} - executable: {} - interactive: {} - name: {} - pid: {} - vpid: {} - same_as_process: {} - start: {} - tty: - fields: - char_device: - fields: - major: {} - minor: {} - working_directory: {} - parent: - fields: - entity_id: {} - pid: {} - vpid: {} - start: {} - session_leader: - fields: - entity_id: {} - pid: {} - vpid: {} - start: {} - user: - fields: - id: {} - name: {} - real_user: - fields: - id: {} - name: {} - saved_user: - fields: - id: {} - name: {} - group: - fields: - id: {} - name: {} - real_group: - fields: - id: {} - name: {} - saved_group: - fields: - id: {} - name: {} - supplemental_groups: - fields: - id: {} - name: {} - thread: - fields: - id: {} - name: {} - capabilities: - fields: - effective: {} - permitted: {} - title: {} - tty: - fields: "*" - uptime: {} - user: - fields: - id: {} - name: {} - working_directory: {} - registry: - fields: "*" - related: - fields: "*" - risk: - fields: "*" - rule: - fields: "*" - server: - fields: - address: {} - as: - fields: "*" - bytes: {} - domain: {} - geo: - fields: "*" - ip: {} - mac: {} - nat: - fields: - ip: {} - port: {} - packets: {} - port: {} - subdomain: {} - registered_domain: {} - top_level_domain: {} - user: - fields: - domain: {} - email: {} - full_name: {} - group: - fields: "*" - hash: {} - id: {} - name: {} - roles: {} - service: - fields: "*" - source: - fields: - address: {} - as: - fields: "*" - bytes: {} - domain: {} - geo: - fields: "*" - ip: {} - mac: {} - nat: - fields: - ip: {} - port: {} - packets: {} - port: {} - subdomain: {} - registered_domain: {} - top_level_domain: {} - user: - fields: - domain: {} - email: {} - full_name: {} - group: - fields: "*" - hash: {} - id: {} - name: {} - roles: {} - threat: - fields: "*" - tls: - fields: "*" - tracing: - fields: "*" - url: - fields: "*" - user_agent: - fields: "*" - user: - fields: - changes: - fields: - domain: {} - email: {} - group: - fields: "*" - full_name: {} - hash: {} - id: {} - name: {} - roles: {} - domain: {} - effective: - fields: - domain: {} - email: {} - group: - fields: "*" - full_name: {} - hash: {} - id: {} - name: {} - roles: {} - email: {} - group: - fields: "*" - full_name: {} - hash: {} - id: {} - name: {} - risk: - fields: "*" - roles: {} - target: - fields: - domain: {} - email: {} - group: - fields: "*" - full_name: {} - hash: {} - id: {} - name: {} - roles: {} - vlan: - fields: "*" - vulnerability: - fields: "*" - x509: - fields: "*" -``` - -### Template settings - -```json -{ - "index_patterns": [ - "wazuh-alerts-5.x-*" - ], - "priority": 1, - "template": { - "settings": { - "index": { - "mapping": { - "total_fields": { - "limit": 2500 - } - }, - "refresh_interval": "5s" - } - } - } -} -``` - -### Mapping settings - -```json -{ - "dynamic": true, - "date_detection": false -} -``` diff --git a/ecs/docs/commands.md b/ecs/docs/commands.md deleted file mode 100644 index 5cd6d34eed49a..0000000000000 --- a/ecs/docs/commands.md +++ /dev/null @@ -1,168 +0,0 @@ -## `commands` index data model - -> [!NOTE] -> rev 0.1 - September 18th, 2024: Add initial model. -> rev 0.2 - September 30th, 2024: Change type of `request_id`, `order_id` and `id` to keyword. -> rev 0.3 - October 3rd, 2024: Change descriptions for `command.type`, `command.action.type`, `command.request_id`, `command.order_id`. -> rev 0.4 - October 9th, 2024: Apply changes described in https://github.com/wazuh/wazuh-indexer-plugins/issues/96#issue-2576028654. -> rev 0.5 - December 3rd, 2024: Added `@timestamp` and `delivery_timestamp` date fields. -> rev 0.6 - January 24th, 2025: Rename index to `wazuh-commands`. The index is now visible to users. - -### Fields summary - -This index stores information about the commands executed by the agents. The index appears in 5.0.0 for the first time. - -| | Field | Type | Description | -| --- | ------------------------ | ------- | ----------------------------------------------------------------------------------------------------------------------------------- | -| \* | `agent.groups` | keyword | List of groups the agent belong to. | -| \* | `command.source` | keyword | Origin of the request. One of [`Users/Services` (via Management API), `Engine` (via Management API), `Content manager` (directly)]. | -| \* | `command.user` | keyword | The user that originated the request. This user may represent a Management API or Indexer API user depending on the source. | -| \* | `command.target.id` | keyword | Unique identifier of the destination to send the command to. | -| \* | `command.target.type` | keyword | The destination type. One of [`group`, `agent`, `server`], | -| \* | `command.action.name` | keyword | The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ... | -| \* | `command.action.args` | object | Command arguments. The Object type allows for ad-hoc format of the value. | -| \* | `command.action.version` | keyword | Version of the command's schema. | -| \* | `command.timeout` | short | Time window in which the command has to be sent to its target. | -| \* | `command.status` | keyword | Status within the Command Manager's context. One of [`pending`, `sent`, `success`, `failure`]. | -| \* | `command.result.code` | short | Status code returned by the target. | -| \* | `command.result.message` | keyword | Result message returned by the target. | -| \* | `command.result.data` | keyword | Result data returned by the target. | -| \* | `command.request_id` | keyword | UUID generated by the Command Manager. | -| \* | `command.order_id` | keyword | UUID generated by the Command Manager. | - -\* Custom field. - -### ECS mapping - -```yml ---- -name: command -fields: - base: - fields: - tags: [] - "@timestamp": {} - "delivery_timestamp": {} - agent: - fields: - groups: {} - command: - fields: "*" -``` - -```yml ---- -- name: command - title: Wazuh commands - short: Wazuh Inc. custom fields. - description: > - This index stores information about the Wazuh's commands. These commands can be sent to agents or Wazuh servers. - type: group - group: 2 - fields: - - name: source - type: keyword - level: custom - description: > - Origin of the request. - - name: user - type: keyword - level: custom - description: > - The user that originated the request. - - name: target.id - type: keyword - level: custom - description: > - Unique identifier of the destination to send the command to. - - name: target.type - type: keyword - level: custom - description: > - The destination type. One of [`group`, `agent`, `server`] - - name: action.name - type: keyword - level: custom - description: > - The requested action type. Examples: `restart`, `update`, `change_group`, `apply_policy`, ... - - name: action.args - type: keyword - level: custom - description: > - Array of command arguments, starting with the absolute path to the executable. - - name: action.version - type: keyword - level: custom - description: > - Version of the command's schema. - - name: timeout - type: short - level: custom - description: > - Time window in which the command has to be sent to its target. - - name: status - type: keyword - level: custom - description: > - Status within the Command Manager's context. One of ['pending', 'sent', 'success', 'failure']. - - name: result.code - type: short - level: custom - description: > - Status code returned by the target. - - name: result.message - type: keyword - level: custom - description: > - Result message returned by the target. - - name: result.data - type: keyword - level: custom - description: > - Result data returned by the target. - - name: request_id - type: keyword - level: custom - description: > - UUID generated by the Command Manager. - - name: order_id - type: keyword - level: custom - description: > - UUID generated by the Command Manager. -``` -```yml -- name: base - title: Wazuh base fields - root: true - fields: - - name: delivery_timestamp - type: date - level: custom - description: > - The latest date-time for the command to be delivered. Calculated as the current timestamp plus the timeout. -``` - -### Index settings - -```json -{ - "index_patterns": ["wazuh-commands*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "command.source", - "command.target.type", - "command.status", - "command.action.name" - ] - } - } - } -} -``` diff --git a/ecs/docs/inventory-hardware.md b/ecs/docs/inventory-hardware.md deleted file mode 100644 index 29c9f103e3f55..0000000000000 --- a/ecs/docs/inventory-hardware.md +++ /dev/null @@ -1,81 +0,0 @@ -## `wazuh-states-inventory-hardware` index data model - -### Fields summary - -The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 - -Based on ECS: - -- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). -- [Observer Fields](https://www.elastic.co/guide/en/ecs/current/ecs-observer.html). - -| | Field name | Data type | Description | Example | -| --- | ----------------------------- | --------- | ------------------------------------ | -------------------------- | -| | `agent.*` | object | All the agent fields. | ` | -| | `@timestamp` | date | Date/time when the event originated. | `2016-05-23T08:05:34.853Z` | -| | `observer.serial_number` | keyword | Observer serial number. | | -| \* | `host.cpu.name` | keyword | Name of the CPU | | -| \* | `host.cpu.cores` | long | Number of CPU cores | | -| \* | `host.cpu.speed` | long | Speed of the CPU in MHz | | -| \* | `host.memory.total` | long | Total RAM in the system | | -| \* | `host.memory.free` | long | Free RAM in the system | | -| \* | `host.memory.used.percentage` | long | RAM usage as a percentage | | - -\* Custom fields - -### ECS mapping - -```yml ---- -name: wazuh-states-inventory-hardware -fields: - base: - fields: - tags: [] - "@timestamp": {} - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - observer: - fields: - serial_number: {} - host: - fields: - memory: - fields: - total: {} - free: {} - used: - fields: - percentage: {} - cpu: - fields: - name: {} - cores: {} - speed: {} -``` - -### Index settings - -```json -{ - "index_patterns": ["wazuh-states-inventory-hardware*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": ["observer.board_serial"] - } - } - } -} -``` diff --git a/ecs/docs/inventory-hotfixes.md b/ecs/docs/inventory-hotfixes.md deleted file mode 100644 index 23ddbf8855fd3..0000000000000 --- a/ecs/docs/inventory-hotfixes.md +++ /dev/null @@ -1,66 +0,0 @@ -## `wazuh-states-inventory-hotfixes` index data model - -### Fields summary - -The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 - -Based on ECS: - -- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). - -| | Field name | Data type | Description | Example | -| --- | --------------------- | --------- | --------------------- | -------------------------- | -| | `agent.*` | object | All the agent fields. | ` | -| | `@timestamp` | date | Timestamp of the scan | `2016-05-23T08:05:34.853Z` | -| \* | `package.hotfix.name` | keyword | Name of the hotfix | | - -\* Custom fields - -### ECS mapping - -```yml ---- -name: wazuh-states-inventory-hotfixes -fields: - base: - fields: - tags: [] - "@timestamp": {} - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - package: - fields: - hotfix: - fields: - name: {} -``` - -### Index settings - -```json -{ - "index_patterns": [ - "wazuh-states-inventory-hotfixes*" - ], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "package.hotfix.name" - ] - } - } - } -} -``` diff --git a/ecs/docs/inventory-networks.md b/ecs/docs/inventory-networks.md deleted file mode 100644 index 9a565348e1f05..0000000000000 --- a/ecs/docs/inventory-networks.md +++ /dev/null @@ -1,116 +0,0 @@ -## `wazuh-states-inventory-networks` index data model - -### Fields summary - -The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 - -Based on ECS: - -- [Observer Fields](https://www.elastic.co/guide/en/ecs/current/ecs-observer.html). -- [Interface Fields](https://www.elastic.co/guide/en/ecs/current/ecs-interface.html). -- [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html). - -| | Field name | Data type | Description | Example | -| --- | ---------------------------------- | --------- | ------------------------------------------------------------------------------ | -------------------------------------- | -| | `agent.*` | object | All the agent fields. | ` | -| | `@timestamp` | date | Date/time when the event originated. | `2016-05-23T08:05:34.853Z` | -| | `device.id` | keyword | The unique identifier of a device. | `00000000-54b3-e7c7-0000-000046bffd97` | -| | `host.ip` | ip | Host IP addresses. Note: this field should contain an array of values. | `["192.168.56.11", "10.54.27.1"]` | -| | `host.mac` | keyword | Host MAC addresses. | | -| | `host.network.egress.bytes` | long | The number of bytes sent on all network interfaces. | | -| | `host.network.egress.packets` | long | The number of packets sent on all network interfaces. | | -| | `host.network.ingress.bytes` | long | The number of bytes received on all network interfaces. | | -| | `host.network.ingress.packets` | long | The number of packets received on all network interfaces. | | -| | `network.protocol` | keyword | Application protocol name. | `http` | -| | `network.type` | keyword | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc. | `ipv4` | -| | `observer.ingress.interface.alias` | keyword | Interface alias. | `outside` | -| | `observer.ingress.interface.name` | keyword | Interface name. | `eth0` | -| \* | `host.network.egress.drops` | long | Number of dropped transmitted packets. | | -| \* | `host.network.egress.errors` | long | Number of transmission errors. | | -| \* | `host.network.ingress.drops` | long | Number of dropped received packets. | | -| \* | `host.network.ingress.errors` | long | Number of reception errors. | | -| \* | `interface.mtu` | long | Maximum transmission unit size. | | -| \* | `interface.state` | keyword | State of the network interface. | | -| \* | `interface.type` | keyword | Interface type (eg. "wireless" or "ethernet"). | | -| \* | `network.broadcast` | ip | Broadcast address. | | -| \* | `network.dhcp` | keyword | DHCP status (enabled, disabled, unknown, BOOTP). | | -| \* | `network.gateway` | ip | Gateway address. | | -| \* | `network.metric` | long | Metric of the network protocol. | | -| \* | `network.netmask` | ip | Network mask. | | - -\* Custom fields - -### ECS mapping - -```yml ---- -name: wazuh-states-inventory-networks -fields: - base: - fields: - tags: [] - "@timestamp": {} - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - host: - fields: "*" - interface: - fields: - mtu: {} - state: {} - type: {} - network: - fields: - broadcast: {} - dhcp: {} - gateway: {} - metric: {} - netmask: {} - protocol: {} - type: {} - observer: - fields: - ingress: - fields: - interface: - fields: - alias: {} - name: {} -``` - -### Index settings - -```json -{ - "index_patterns": [ - "wazuh-states-inventory-networks*" - ], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "device.id", - "event.id", - "host.ip", - "observer.ingress.interface.name", - "observer.ingress.interface.alias", - "process.name" - ] - } - } - } -} -``` diff --git a/ecs/docs/inventory-packages.md b/ecs/docs/inventory-packages.md deleted file mode 100644 index a40ba21b98631..0000000000000 --- a/ecs/docs/inventory-packages.md +++ /dev/null @@ -1,95 +0,0 @@ -## `wazuh-states-inventory-packages` index data model - -### Fields summary - -The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 - -Based on ECS: - -- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). - -| | Field name | Data type | Description | Example | -| --- | ---------------------- | --------- | ------------------------------------ | ------- | -| | `agent.*` | object | All the agent fields. | ` | -| | `@timestamp` | date | Timestamp of the scan. | | -| | `package.architecture` | keyword | Package architecture. | | -| | `package.description` | keyword | Description of the package. | | -| | `package.installed` | date | Time when package was installed. | | -| | `package.name` | keyword | Package name. | | -| | `package.path` | keyword | Path where the package is installed. | | -| | `package.size` | long | Package size in bytes. | | -| | `package.type` | keyword | Package type. | | -| | `package.version` | keyword | Package version. | | - -\* Custom field - -
Fields not included in ECS -

- -| | Field name | ECS field name | Data type | Description | -| --- | ---------- | ----------------- | --------- | ------------------------------------------------------------------------------ | -| ? | priority | | | Priority of the program | -| ? | section | | | Section of the program category the package belongs to in DEB package managers | -| X | vendor | package.reference | keyword | Home page or reference URL of the software in this package, if available. | -| ? | multiarch | | | Multi-architecture compatibility | -| X | source | | | Source of the program - package manager | - -

-
- -### ECS mapping - -```yml ---- -name: wazuh-states-inventory-packages -fields: - base: - fields: - "@timestamp": {} - tags: [] - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - package: - fields: - architecture: "" - description: "" - installed: {} - name: "" - path: "" - size: {} - type: "" - version: "" -``` - -### Index settings - -```json -{ - "index_patterns": ["wazuh-states-inventory-packages*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "package.architecture", - "package.name", - "package.version", - "package.type" - ] - } - } - } -} -``` diff --git a/ecs/docs/inventory-ports.md b/ecs/docs/inventory-ports.md deleted file mode 100644 index ae576b9cc90a4..0000000000000 --- a/ecs/docs/inventory-ports.md +++ /dev/null @@ -1,112 +0,0 @@ -## `wazuh-states-inventory-ports` index data model - -### Fields summary - -The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 - -Based on ECS: - -- [Interface Fields](https://www.elastic.co/guide/en/ecs/current/ecs-interface.html). -- [Network Fields](https://www.elastic.co/guide/en/ecs/current/ecs-network.html). -- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). - -| | Field name | Data type | Description | Example | -| --- | ---------------------------- | --------- | ---------------------------------------------- | -------------------------------------- | -| | `agent.*` | object | All the agent fields. | ` | -| | `@timestamp` | date | Timestamp of the scan. | `2016-05-23T08:05:34.853Z` | -| | `destination.ip` | ip | IP address of the destination. | `["192.168.0.100"]` | -| | `destination.port` | long | Port of the destination. | | -| | `device.id` | keyword | The unique identifier of a device. | `00000000-54b3-e7c7-0000-000046bffd97` | -| | `file.inode` | keyword | Inode representing the file in the filesystem. | `256383` | -| | `network.protocol` | keyword | Application protocol name. | `http` | -| | `process.name` | keyword | Process name. | `ssh` | -| | `process.pid` | long | Process ID. | `4242` | -| | `source.ip` | ip | IP address of the source. | `["192.168.0.100"]` | -| | `source.port` | long | Port of the source. | | -| \* | `host.network.egress.queue` | long | Transmit queue length. | | -| \* | `host.network.ingress.queue` | long | Receive queue length. | | -| \* | `interface.state` | keyword | State of the network interface. | | - -\* Custom fields - -### ECS mapping - -```yml ---- -name: wazuh-states-inventory-ports -fields: - base: - fields: - tags: [] - "@timestamp": {} - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - destination: - fields: - ip: {} - port: {} - device: - fields: - id: {} - file: - fields: - inode: {} - host: - fields: - network: - fields: - egress: - fields: - queue: {} - ingress: - fields: - queue: {} - network: - fields: - protocol: {} - process: - fields: - name: {} - pid: {} - source: - fields: - ip: {} - port: {} - interface: - fields: - state: {} -``` - -### Index settings - -```json -{ - "index_patterns": [ - "wazuh-states-inventory-ports*" - ], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "process.name", - "source.ip", - "destination.ip" - ] - } - } - } -} -``` diff --git a/ecs/docs/inventory-processes.md b/ecs/docs/inventory-processes.md deleted file mode 100644 index 4f3451746aaed..0000000000000 --- a/ecs/docs/inventory-processes.md +++ /dev/null @@ -1,138 +0,0 @@ -## `wazuh-states-inventory-processes` index data model - -### Fields summary - -The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 - -Based on ECS: - -- [Process Fields](https://www.elastic.co/guide/en/ecs/current/ecs-process.html). - -| | Field name | Data type | Description | Examples | Comments | -|----|---------------------------------| --------- | ---------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------- | -| | `agent.*` | object | All the agent fields. | ` | -| | `@timestamp` | date | Date/time when the event originated. | `2016-05-23T08:05:34.853Z` | | -| | `process.args` | keyword | Array of process arguments. | `["/usr/bin/ssh", "-l", "user", "10.0.0.16"]` | | -| | `process.command_line` | wildcard | process.command_line. | `/usr/bin/ssh -l user 10.0.0.16` | | -| | `process.name` | keyword | Process name. | `ssh` | | -| | `process.parent.pid` | long | Parent process ID. | `4242` | | -| | `process.pid` | long | Process ID. | `4242` | | -| | `process.real_group.id` | keyword | Unique identifier for the group on the system/platform. | | | -| | `process.real_user.id` | keyword | Unique identifier of the user. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | | -| | `process.saved_group.id` | keyword | Unique identifier for the group on the system/platform. | | | -| | `process.saved_user.id` | keyword | Unique identifier of the user. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | | -| | `process.start` | date | The time the process started. | `2016-05-23T08:05:34.853Z` | | -| | `process.user.id` | keyword | Unique identifier of the user. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | | -| ! | `process.thread.id` | long | Thread ID. | | `thread.group` is **not part of ECS;** but `thread.id` is. | -| | `process.tty.char_device.major` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | | Needs clarification | -| \* | `process.group.id` | keyword | Unique identifier for the effective group on the system/platform. | | | - -\* Custom field - -!: Fields awaiting analysis - -
Fields not included in ECS -

- -| | Field name | ECS field name | Data type | Description | Example | Comments | -| --- | ---------- | ------------------------- | ------------------ | ---------------------------------------------------------------------------------------------------- | ------- | ---------------------------------------------------------- | -| x | state | `process.state` | **No ECS mapping** | State of the process | | **Not part of ECS;** Maybe as a custom field. | -| x | utime | `process.cpu.user` | **No ECS mapping** | User mode CPU time | | **Not part of ECS;** Maybe as a custom field. | -| x | stime | `process.cpu.system` | **No ECS mapping** | Kernel mode CPU time | | **Not part of ECS;** Maybe as a custom field. | -| x? | fgroup | `process.group.file.id` | **No ECS mapping** | unknown | | | -| x | priority | `process.priority` | **No ECS mapping** | Process priority | | **Not part of ECS;** Maybe as a custom field. | -| x | nice | `process.nice` | **No ECS mapping** | Nice value | | **Not part of ECS;** Maybe as a custom field. | -| x | size | `process.size` | **No ECS mapping** | Process size | | **Not part of ECS;** Maybe as a custom field. | -| x | vm_size | `process.vm.size` | **No ECS mapping** | Virtual memory size | | **Not part of ECS;** Maybe as a custom field. | -| x | resident | `process.memory.resident` | **No ECS mapping** | Resident set size | | **Not part of ECS;** Maybe as a custom field. | -| x | share | `process.memory.share` | **No ECS mapping** | Shared memory size | | **Not part of ECS;** Maybe as a custom field. | -| ! | pgrp | `process.group.id` | keyword | Process group | | Isn't it duplicated ?? | -| x | session | `process.session` | **No ECS mapping** | Session ID | | **Not part of ECS;** Needs clarification. | -| x | nlwp | `process.nlwp` | **No ECS mapping** | Number of light-weight processes | | **Not part of ECS;** Needs clarification. | -| ! | tgid | `process.thread.id` | **No ECS mapping** | Thread ID ID | | `thread.group` is **not part of ECS;** but `thread.id` is. | -| x | processor | `host.cpu.processor` | **No ECS mapping** | Processor number | | No ECS field refers to the core number of the CPU. | - -

-
- -### ECS mapping - -```yml ---- -name: wazuh-states-inventory-processes -fields: - base: - fields: - "@timestamp": {} - tags: [] - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - process: - fields: - pid: {} - name: "" - parent: - fields: - pid: {} - command_line: "" - args: "" - user: - fields: - id: "" - real_user: - fields: - id: "" - saved_user: - fields: - id: "" - group: - fields: - id: "" - real_group: - fields: - id: "" - saved_group: - fields: - id: "" - start: {} - thread: - fields: - id: "" - tty: - fields: - char_device: - fields: - major: "" -``` - -### Index settings - -```json -{ - "index_patterns": ["wazuh-states-inventory-processes*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "process.name", - "process.pid", - "process.command_line" - ] - } - } - } -} -``` diff --git a/ecs/docs/inventory-system.md b/ecs/docs/inventory-system.md deleted file mode 100644 index 42dcec74368c5..0000000000000 --- a/ecs/docs/inventory-system.md +++ /dev/null @@ -1,98 +0,0 @@ -## `wazuh-states-inventory-system` index data model - -### Fields summary - -The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189837612 - -Based on ECS: - -- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). -- [Operating System Fields](https://www.elastic.co/guide/en/ecs/current/ecs-os.html). - -| | Field name | Data type | Description | Example | -| --- | ------------------- | --------- | ---------------------------------------------------------- | -------------------------- | -| | `agent.*` | object | All the agent fields. | ` | -| | `@timestamp` | date | Date/time when the event originated. | `2016-05-23T08:05:34.853Z` | -| | `host.architecture` | keyword | Operating system architecture. | `x86_64` | -| | `host.hostname` | keyword | Hostname of the host. | | -| | `host.os.full` | keyword | Operating system name, including the version or code name. | `Mac OS Mojave` | -| | `host.os.kernel` | keyword | Operating system kernel version as a raw string. | `4.4.0-112-generic` | -| | `host.os.name` | keyword | Operating system name, without the version. | `Mac OS X` | -| | `host.os.platform` | keyword | Operating system platform (such centos, ubuntu, windows). | `darwin` | -| | `host.os.type` | keyword | [linux, macos, unix, windows, ios, android] | `macos` | -| | `host.os.version` | keyword | Operating system version as a raw string. | `10.14.1` | - -\* Custom field - -
Details -

- -Removed fields: - -- os_display_version -- os_major (can be extracted from os_version) -- os_minor (can be extracted from os_version) -- os_patch (can be extracted from os_version) -- os_release -- reference -- release -- scan_id -- sysname -- version -- checksum - -Available fields: - -- `os.family` -- `hots.name` - -

-
- -### ECS mapping - -```yml ---- -name: wazuh-states-inventory-system -fields: - base: - fields: - tags: [] - "@timestamp": {} - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - host: - fields: "*" -``` - -### Index settings - -```json -{ - "index_patterns": ["wazuh-states-inventory-system*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "host.name", - "host.os.type", - "host.os.version" - ] - } - } - } -} -``` diff --git a/ecs/docs/states-fim.md b/ecs/docs/states-fim.md deleted file mode 100644 index 380c71c8d0495..0000000000000 --- a/ecs/docs/states-fim.md +++ /dev/null @@ -1,106 +0,0 @@ -## `wazuh-states-fim` index data model - -### Fields summary - -The fields are based on https://github.com/wazuh/wazuh-indexer/issues/282#issuecomment-2189377542 - -Based on ECS: - -- [File Fields](https://www.elastic.co/guide/en/ecs/current/ecs-file.html). -- [Registry Fields](https://www.elastic.co/guide/en/ecs/current/ecs-registry.html). - -| | Field | Type | Description | Example | -| --- | ------------------ | ------- | ----------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | -| | `agent.*` | object | All the agent fields. | ` | -| | `file.attributes` | keyword | Array of file attributes. | `["readonly", "system"]` | -| | `file.gid` | keyword | Primary group ID (GID) of the file. | `1001` | -| | `file.group` | keyword | Primary group name of the file. | `alice` | -| | `file.inode` | keyword | Inode representing the file in the filesystem. | `256383` | -| | `file.name` | keyword | Name of the file including the extension, without the directory. | `example.png` | -| | `file.mode` | keyword | File permissions in octal mode. | `0640` | -| | `file.mtime` | date | Last time the file's metadata changed. | | -| | `file.owner` | keyword | File owner’s username. | | -| | `file.path` | keyword | Full path to the file, including the file name. It should include the drive letter, when appropriate. | `/home/alice/example.png` | -| | `file.size` | long | File size in bytes. | `16384` | -| | `file.target_path` | keyword | Target path for symlinks. | | -| | `file.type` | keyword | File type (file, dir, or symlink). | `file` | -| | `file.uid` | keyword | User ID (UID) of the file owner. | `1001` | -| | `file.hash.md5` | keyword | MD5 hash of the file. | | -| | `file.hash.sha1` | keyword | SHA1 hash of the file. | | -| | `file.hash.sha256` | keyword | SHA256 hash of the file. | | -| | `registry.key` | keyword | Hive-relative path of keys. | `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe` | -| | `registry.value` | keyword | Name of the value written. | `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger` | - -\* Custom field. - -### ECS mapping - -```yml ---- -name: wazuh-states-fim -fields: - base: - fields: - tags: [] - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - file: - fields: - attributes: {} - name: {} - path: {} - gid: {} - group: {} - inode: {} - hash: - fields: - md5: {} - sha1: {} - sha256: {} - mtime: {} - mode: {} - size: {} - target_path: {} - type: {} - uid: {} - owner: {} - registry: - fields: - key: {} - value: {} -``` - -### Index settings - -```json -{ - "index_patterns": ["wazuh-states-fim*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "file.name", - "file.path", - "file.target_path", - "file.group", - "file.uid", - "file.gid" - ] - } - } - } -} -``` diff --git a/ecs/docs/states-vulnerability.md b/ecs/docs/states-vulnerability.md deleted file mode 100644 index fd560c1134b30..0000000000000 --- a/ecs/docs/states-vulnerability.md +++ /dev/null @@ -1,169 +0,0 @@ -## `wazuh-states-vulnerabilities` index data model - -### Fields summary - -The fields are based on https://github.com/wazuh/wazuh-indexer/blob/4.9.0/ecs/vulnerability-detector - -Based on ECS: - -- [Agent Fields](https://www.elastic.co/guide/en/ecs/current/ecs-agent.html). -- [Package Fields](https://www.elastic.co/guide/en/ecs/current/ecs-package.html). -- [Host Fields](https://www.elastic.co/guide/en/ecs/current/ecs-host.html). -- [Vulnerability Fields](https://www.elastic.co/guide/en/ecs/current/ecs-vulnerability.html). - -| | Field | Type | Description | -| --- | ----------------------------------- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | -| | `agent.*` | object | All the `agent` fields. | ` | -| | `host.*` | object | All the `host` fields. | -| | `package.architecture` | keyword | Package architecture. | -| | `package.build_version` | keyword | Additional information about the build version of the installed package. | -| | `package.checksum` | keyword | Checksum of the installed package for verification. | -| | `package.description` | keyword | Description of the package. | -| | `package.install_scope` | keyword | Indicating how the package was installed, e.g. user-local, global. | -| | `package.installed` | date | Time when package was installed. | -| | `package.license` | keyword | License under which the package was released. | -| | `package.name` | keyword | Package name | -| | `package.path` | keyword | Path where the package is installed. | -| | `package.reference` | keyword | Home page or reference URL of the software in this package, if available. | -| | `package.size` | long | Package size in bytes. | -| | `package.type` | keyword | Type of package. | -| | `package.version` | keyword | Package version | -| | `vulnerability.category` | keyword | The type of system or architecture that the vulnerability affects | -| | `vulnerability.classification` | keyword | The classification of the vulnerability scoring system. | -| | `vulnerability.description` | keyword | The description of the vulnerability that provides additional context of the vulnerability | -| \* | `vulnerability.detected_at` | date | Vulnerability's detection date. | -| | `vulnerability.enumeration` | keyword | The type of identifier used for this vulnerability. | -| | `vulnerability.id` | keyword | The identification (ID) is the number portion of a vulnerability entry. | -| \* | `vulnerability.published_at` | date | Vulnerability's publication date. | -| | `vulnerability.reference` | keyword | A resource that provides additional information, context, and mitigations for the identified vulnerability. | -| | `vulnerability.report_id` | keyword | The report or scan identification number. | -| \* | `vulnerability.scanner.source` | keyword | The origin of the decision of the scanner (AKA feed used to detect the vulnerability). | -| | `vulnerability.scanner.vendor` | keyword | The name of the vulnerability scanner vendor. | -| | `vulnerability.score.base` | float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. | -| | `vulnerability.score.environmental` | float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. | -| | `vulnerability.score.temporal` | float | Scores can range from 0.0 to 10.0, with 10.0 being the most severe. | -| | `vulnerability.score.version` | keyword | The National Vulnerability Database (NVD) provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as they are defined in the CVSS v3.0 specification. | -| | `vulnerability.severity` | keyword | The severity of the vulnerability can help with metrics and internal prioritization regarding remediation. | -| \* | `vulnerability.under_evaluation` | boolean | Indicates if the vulnerability is awaiting analysis by the NVD. | -| \* | `wazuh.cluster.name` | keyword | Name of the Wazuh cluster. | -| \* | `wazuh.cluster.node` | keyword | Name of the Wazuh cluster node. | -| \* | `wazuh.schema.version` | keyword | Version of the Wazuh schema. | - -\* Custom field. - -### ECS mapping - -```yml ---- -name: wazuh-states-vulnerabilities -fields: - base: - fields: - tags: [] - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - package: - fields: "*" - host: - fields: "*" - vulnerability: - fields: "*" - wazuh: - fields: "*" - -``` - -```yml ---- -- name: vulnerability - title: Vulnerability - group: 2 - short: Fields to describe the vulnerability relevant to an event. - description: > - The vulnerability fields describe information about a vulnerability that is - relevant to an event. - type: group - fields: - - name: detected_at - type: date - level: custom - description: > - Vulnerability's detection date. - - name: published_at - type: date - level: custom - description: > - Vulnerability's publication date. - - name: under_evaluation - type: boolean - level: custom - description: > - Indicates if the vulnerability is awaiting analysis by the NVD. - - name: scanner.source - type: keyword - level: custom - description: > - The origin of the decision of the scanner (AKA feed used to detect the vulnerability). -``` - -```yml ---- ---- -- name: wazuh - title: Wazuh - description: > - Wazuh Inc. custom fields - fields: - - name: cluster.name - type: keyword - level: custom - description: > - Wazuh cluster name. - - name: cluster.node - type: keyword - level: custom - description: > - Wazuh cluster node name. - - name: schema.version - type: keyword - level: custom - description: > - Wazuh schema version. -``` - -### Index settings - -```json -{ - "index_patterns": ["wazuh-states-vulnerabilities*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "host.os.full", - "host.os.version", - "package.name", - "package.version", - "vulnerability.id", - "vulnerability.description", - "vulnerability.severity", - "wazuh.cluster.name" - ] - } - } - } -} -``` diff --git a/ecs/generator/images/Dockerfile b/ecs/generator/images/Dockerfile deleted file mode 100644 index 357a2baa73ec8..0000000000000 --- a/ecs/generator/images/Dockerfile +++ /dev/null @@ -1,33 +0,0 @@ -FROM python:3.10 - -# Define the version as a build argument -ARG ECS_VERSION=v8.11.0 - -# Update the package list and upgrade all packages -RUN apt-get update && \ - apt-get upgrade -y && \ - # Install dependencies - apt-get install -y git jq && \ - # Cleanup - apt-get clean && \ - rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \ - # Clone elastic ECS repository and install required Python libraries - git clone https://github.com/elastic/ecs.git -b ${ECS_VERSION} --depth 1 && \ - pip install -r ecs/scripts/requirements.txt && \ - # Create the directory for the ecs definitions (this will be used as a volume) - mkdir -p /source/ecs - -# Ensure the generator.sh script is in the correct location -ADD ecs/generator/images/generator.sh /ecs/generator.sh - -# Define the directory as a volume to allow for external mounting -VOLUME /source/ecs - -# Ensure the generator.sh script is executable -RUN chmod +x /ecs/generator.sh - -# Set the working directory to the ECS repository -WORKDIR /ecs - -# Define the entry point for the container to execute the generator.sh script -ENTRYPOINT ["/bin/bash", "/ecs/generator.sh"] diff --git a/ecs/generator/images/generator.sh b/ecs/generator/images/generator.sh deleted file mode 100755 index 2b6b3c05f0068..0000000000000 --- a/ecs/generator/images/generator.sh +++ /dev/null @@ -1,103 +0,0 @@ -#!/bin/bash - -set -euo pipefail - -# SPDX-License-Identifier: Apache-2.0 -# The OpenSearch Contributors require contributions made to -# this file be licensed under the Apache-2.0 license or a -# compatible open source license. - -# Default values -ECS_VERSION="${ECS_VERSION:-v8.11.0}" -ECS_SOURCE="${ECS_SOURCE:-/source}" - -# Function to display usage information -show_usage() { - echo "Usage: $0" - echo "Environment Variables:" - echo " * ECS_MODULE: Module to generate mappings for" - echo " * ECS_VERSION: (Optional) ECS version to generate mappings for (default: v8.11.0)" - echo " * ECS_SOURCE: (Optional) Path to the wazuh-indexer repository (default: /source)" - echo "Example: docker run -e ECS_MODULE=alerts -e ECS_VERSION=v8.11.0 ecs-generator" -} - -# Ensure ECS_MODULE is provided -if [ -z "${ECS_MODULE:-}" ]; then - show_usage - exit 1 -fi - -# Function to remove multi-fields from the generated index template -remove_multi_fields() { - local in_file="$1" - local out_file="$2" - - jq 'del( - .mappings.properties.agent.properties.host.properties.os.properties.full.fields, - .mappings.properties.agent.properties.host.properties.os.properties.name.fields, - .mappings.properties.host.properties.os.properties.full.fields, - .mappings.properties.host.properties.os.properties.name.fields, - .mappings.properties.process.properties.command_line.fields, - .mappings.properties.process.properties.name.fields, - .mappings.properties.vulnerability.properties.description.fields - )' "$in_file" > "$out_file" -} - -# Function to generate mappings -generate_mappings() { - local ecs_module="$1" - local indexer_path="$2" - local ecs_version="$3" - - local in_files_dir="$indexer_path/ecs/$ecs_module/fields" - local out_dir="$indexer_path/ecs/$ecs_module/mappings/$ecs_version" - - # Ensure the output directory exists - mkdir -p "$out_dir" - - # Generate mappings - python scripts/generator.py --strict --ref "$ecs_version" \ - --include "$in_files_dir/custom/" \ - --subset "$in_files_dir/subset.yml" \ - --template-settings "$in_files_dir/template-settings.json" \ - --template-settings-legacy "$in_files_dir/template-settings-legacy.json" \ - --mapping-settings "$in_files_dir/mapping-settings.json" \ - --out "$out_dir" - - # Replace unsupported types - echo "Replacing unsupported types in generated mappings" - find "$out_dir" -type f -exec sed -i 's/constant_keyword/keyword/g' {} \; - find "$out_dir" -type f -exec sed -i 's/wildcard/keyword/g' {} \; - find "$out_dir" -type f -exec sed -i 's/match_only_text/keyword/g' {} \; - find "$out_dir" -type f -exec sed -i 's/flattened/flat_object/g' {} \; - find "$out_dir" -type f -exec sed -i 's/scaled_float/float/g' {} \; - find "$out_dir" -type f -exec sed -i '/scaling_factor/d' {} \; - - local in_file="$out_dir/generated/elasticsearch/legacy/template.json" - local out_file="$out_dir/generated/elasticsearch/legacy/template-tmp.json" - - # Delete the "tags" field from the index template - echo "Deleting the \"tags\" field from the index template" - jq 'del(.mappings.properties.tags)' "$in_file" > "$out_file" - mv "$out_file" "$in_file" - - # Remove multi-fields from the generated index template - echo "Removing multi-fields from the index template" - remove_multi_fields "$in_file" "$out_file" - mv "$out_file" "$in_file" - - # Transform legacy index template for OpenSearch compatibility - jq '{ - "index_patterns": .index_patterns, - "priority": .order, - "template": { - "settings": .settings, - "mappings": .mappings - } - }' "$in_file" > "$out_dir/generated/elasticsearch/legacy/opensearch-template.json" - - echo "Mappings saved to $out_dir" -} - -# Generate mappings -generate_mappings "$ECS_MODULE" "$ECS_SOURCE" "$ECS_VERSION" diff --git a/ecs/generator/mapping-generator.sh b/ecs/generator/mapping-generator.sh deleted file mode 100644 index 3fc2406e11354..0000000000000 --- a/ecs/generator/mapping-generator.sh +++ /dev/null @@ -1,79 +0,0 @@ -#!/bin/bash - -# Run the ECS generator tool container. -# Requirements: -# - Docker -# - Docker Compose - -set -e - -# The container is built only if needed, the tool can be executed several times -# for different modules in the same build since the script runs as entrypoint - - - -# ==== -# Checks that the script is run from the intended location -# ==== -function navigate_to_project_root() { - local repo_root_marker - local script_path - repo_root_marker=".github" - script_path=$(dirname "$(realpath "$0")") - - while [[ "$script_path" != "/" ]] && [[ ! -d "$script_path/$repo_root_marker" ]]; do - script_path=$(dirname "$script_path") - done - - if [[ "$script_path" == "/" ]]; then - echo "Error: Unable to find the repository root." - exit 1 - fi - - cd "$script_path" -} - -# ==== -# Displays usage information -# ==== -function usage() { - echo "Usage: $0 {run|down|stop} [REPO_PATH]" - exit 1 -} - -function main() { - local compose_filename="ecs/generator/mapping-generator.yml" - local compose_command - local module - local repo_path - - navigate_to_project_root - - compose_command="docker compose -f $compose_filename" - - case $1 in - run) - if [[ "$#" -lt 2 || "$#" -gt 3 ]]; then - usage - fi - module="$2" - repo_path="${3:-$(pwd)}" - - # Start the container with the required env variables - ECS_MODULE="$module" REPO_PATH="$repo_path" $compose_command up - # The containers are stopped after each execution - $compose_command stop - ;; - down) - $compose_command down - ;; - stop) - $compose_command stop - ;; - *) - usage - ;; - esac -} - -main "$@" diff --git a/ecs/generator/mapping-generator.yml b/ecs/generator/mapping-generator.yml deleted file mode 100644 index e0f54b0248f82..0000000000000 --- a/ecs/generator/mapping-generator.yml +++ /dev/null @@ -1,11 +0,0 @@ -services: - ecs-mapping-generator: - image: wazuh-ecs-generator - container_name: wazuh-ecs-generator - build: - context: ./../.. - dockerfile: ${REPO_PATH:-.}/ecs/generator/images/Dockerfile - volumes: - - ${REPO_PATH:-.}/ecs:/source/ecs - environment: - - ECS_MODULE=${ECS_MODULE} diff --git a/ecs/scripts/generate-pr-to-plugins.sh b/ecs/scripts/generate-pr-to-plugins.sh deleted file mode 100644 index 08303890a3c0f..0000000000000 --- a/ecs/scripts/generate-pr-to-plugins.sh +++ /dev/null @@ -1,296 +0,0 @@ -#!/usr/bin/env bash - -# Constants -ECS_VERSION=${ECS_VERSION:-v8.11.0} -MAPPINGS_SUBPATH="mappings/${ECS_VERSION}/generated/elasticsearch/legacy/template.json" -TEMPLATES_PATH="plugins/setup/src/main/resources/" -PLUGINS_REPO="wazuh/wazuh-indexer-plugins" -CURRENT_PATH=$(pwd) -OUTPUT_PATH=${OUTPUT_PATH:-"$CURRENT_PATH"/../output} -BASE_BRANCH=${BASE_BRANCH:-main} -PLUGINS_LOCAL_PATH=${PLUGINS_LOCAL_PATH:-"$CURRENT_PATH"/../wazuh-indexer-plugins} - -# Committer's identity -COMMITER_EMAIL=${COMMITER_EMAIL:-$(git config user.email)} -COMMITTER_USERNAME=${COMMITTER_USERNAME:-$(git config user.name)} # Human readable username - -# Global variables -declare -a relevant_modules -declare -A module_to_file - -# Check if a command exists on the system. -# Parameters: -# $1: Command to check. -command_exists() { - command -v "$1" &> /dev/null -} - -# Validate that all required dependencies are installed. -validate_dependencies() { - local required_commands=("docker" "docker-compose" "gh") - for cmd in "${required_commands[@]}"; do - if ! command_exists "$cmd"; then - echo "Error: $cmd is not installed. Please install it and try again." - exit 1 - fi - done -} - -# Check if the script is being executed in a GHA Workflow -check_running_on_gha() { - if [[ -n "${GITHUB_RUN_ID}" ]]; then - return 0 - else - return 1 - fi -} - -# Detect modified ECS modules by comparing the current branch with the base branch. -detect_modified_modules() { - echo - echo "---> Fetching and extracting modified ECS modules..." - git fetch origin +refs/heads/main:refs/remotes/origin/main - local modified_files - local updated_modules=() - modified_files=$(git diff --name-only origin/"$BASE_BRANCH") - - for file in $modified_files; do - if [[ $file == ecs/* ]]; then - ecs_module=$(echo "$file" | cut -d'/' -f2) - if [[ ! " ${updated_modules[*]} " =~ ${ecs_module} ]]; then - updated_modules+=("$ecs_module") - fi - fi - done - echo "Updated ECS modules: ${updated_modules[*]}" - - # Mapping section - module_to_file=( - [agent]="index-template-agent.json" - [alerts]="index-template-alerts.json" - [command]="index-template-commands.json" - [states-fim]="index-template-fim.json" - [states-inventory-hardware]="index-template-hardware.json" - [states-inventory-hotfixes]="index-template-hotfixes.json" - [states-inventory-networks]="index-template-networks.json" - [states-inventory-packages]="index-template-packages.json" - [states-inventory-ports]="index-template-ports.json" - [states-inventory-processes]="index-template-processes.json" - [states-inventory-scheduled-commands]="index-template-scheduled-commands.json" - [states-inventory-system]="index-template-system.json" - [states-vulnerabilities]="index-template-vulnerabilities.json" - ) - - relevant_modules=() - for ecs_module in "${updated_modules[@]}"; do - if [[ -n "${module_to_file[$ecs_module]}" ]]; then - relevant_modules+=("$ecs_module") - fi - done - echo "Relevant ECS modules: ${relevant_modules[*]}" -} - -# Run the ECS generator script for relevant modules. -run_ecs_generator() { - echo - echo "---> Running ECS Generator script..." - if [[ ${#relevant_modules[@]} -gt 0 ]]; then - for ecs_module in "${relevant_modules[@]}"; do - bash ecs/generator/mapping-generator.sh run "$ecs_module" - echo "Processed ECS module: $ecs_module" - bash ecs/generator/mapping-generator.sh down - done - else - echo "No relevant modifications detected in ecs/ directory." - exit 0 - fi -} - -# Clone the target repository and set up GitHub authentication. -clone_target_repo() { - # Clone the remote repository and change working directory to the - # folder it was cloned to. - echo - echo "---> Cloning ${PLUGINS_REPO} repository..." - if [ ! -d "$PLUGINS_LOCAL_PATH" ]; then - git clone \ - https://"$GITHUB_TOKEN"@github.com/$PLUGINS_REPO.git \ - "$PLUGINS_LOCAL_PATH" - fi - cd "$PLUGINS_LOCAL_PATH" || exit - - # Only for the GH Workflow - if check_running_on_gha; then - echo "Configuring Git for ${COMMITTER_USERNAME}" - configure_git - fi -} - -# Configure Git with the committer's identity and commit signing. -configure_git() { - # Setup the committers identity. - git config --global user.email "${COMMITER_EMAIL}" - git config --global user.name "${COMMITTER_USERNAME}" - - # Store the SSH key pair so Git can read it. - mkdir -p ~/.ssh/ - echo "${SSH_PRIVATE_KEY}" > ~/.ssh/id_ed25519_bot - echo "${SSH_PUBLIC_KEY}" > ~/.ssh/id_ed25519_bot.pub - chmod 600 ~/.ssh/id_ed25519_bot - chmod 644 ~/.ssh/id_ed25519_bot.pub - - # Setup commit signing - ssh-add ~/.ssh/id_ed25519_bot - git config --global gpg.format ssh - git config --global commit.gpgsign true - git config --global user.signingkey ~/.ssh/id_ed25519_bot.pub -} - -# Commit and push changes to the target repository. -commit_and_push_changes() { - echo - echo "---> Committing and pushing changes to ${PLUGINS_REPO} repository..." - git ls-remote --exit-code --heads origin "$BRANCH_NAME" >/dev/null 2>&1 - EXIT_CODE=$? - - if [[ $EXIT_CODE == '0' ]]; then - git checkout "$BRANCH_NAME" - git pull origin "$BRANCH_NAME" - else - git checkout -b "$BRANCH_NAME" - git push --set-upstream origin "$BRANCH_NAME" - fi - - echo "Copying ECS templates to the plugins repository..." - for ecs_module in "${relevant_modules[@]}"; do - target_file=${module_to_file[$ecs_module]} - if [[ -z "$target_file" ]]; then - continue - fi - # Save the template on the output path - mkdir -p "$OUTPUT_PATH" - cp "$CURRENT_PATH/ecs/$ecs_module/$MAPPINGS_SUBPATH" "$OUTPUT_PATH/$target_file" - # Copy the template to the plugins repository - mkdir -p $TEMPLATES_PATH - echo " - Copy template for module '$ecs_module' to '$target_file'" - cp "$CURRENT_PATH/ecs/$ecs_module/$MAPPINGS_SUBPATH" "$TEMPLATES_PATH/$target_file" - done - - git status --short - - if ! git diff-index --quiet HEAD --; then - echo "Changes detected. Committing and pushing to the repository..." - git add . - git commit -m "Update ECS templates for modified modules: ${relevant_modules[*]}" - git push - else - echo "Nothing to commit, working tree clean." - exit 0 - fi -} - -# Create or update a Pull Request with the modified ECS templates. -create_or_update_pr() { - echo - echo "---> Creating or updating Pull Request..." - - local existing_pr - local modules_body - local title - local body - - existing_pr=$(gh pr list --head "$BRANCH_NAME" --json number --jq '.[].number') - # Format modules - modules_body=$(printf -- '- %s\n' "${relevant_modules[@]}") - - # Create title and body with formatted modules list - title="[ECS Generator] Update index templates" - body=$(cat < token.txt - - # Authorize GitHub CLI for the current repository and - # create a pull-requests containing the updates. - gh auth login --with-token < token.txt - - if [ -z "$existing_pr" ]; then - output=$(gh pr create --title "$title" --body "$body" --base main --head "$BRANCH_NAME") - pr_url=$(echo "$output" | grep -oP 'https://github.com/\S+') - export PR_URL="$pr_url" - echo "New pull request created: $PR_URL" - else - echo "PR already exists: $existing_pr. Updating the PR..." - gh pr edit "$existing_pr" --body "$body" - pr_url=$(gh pr view "$existing_pr" --json url -q '.url') - export PR_URL="$pr_url" - echo "Pull request updated: $PR_URL" - fi - - # If the script is executed in a GHA, add a notice command. - if check_running_on_gha; then - echo "::notice::Pull Request URL:${PR_URL}" - fi -} - -# Display usage information. -usage() { - echo "Usage: $0 -b -t " - echo " -t [GITHUB_TOKEN] (Required) GitHub token to authenticate with GitHub API." - echo " -b [BRANCH_NAME] (Optional) Branch name to create or update the PR. Default: current branch." - echo " If not provided, the script will use the GITHUB_TOKEN environment variable." - exit 1 -} - -# Main function -main() { - while getopts ":b:t:o:" opt; do - case ${opt} in - b ) - BRANCH_NAME=$OPTARG - ;; - t ) - GITHUB_TOKEN=$OPTARG - ;; - o ) - if [[ "$OPTARG" == "./"* || ! "$OPTARG" =~ ^/ ]]; then - OPTARG="$(pwd)/${OPTARG#./}" - fi - OUTPUT_PATH=$OPTARG - ;; - \? ) - usage - ;; - : ) - echo "Invalid option: $OPTARG requires an argument" 1>&2 - usage - ;; - esac - done - - if [ -z "$BRANCH_NAME" ]; then - # Check if we are in a Git repository - if git rev-parse --is-inside-work-tree > /dev/null 2>&1; then - BRANCH_NAME=$(git rev-parse --abbrev-ref HEAD) - else - echo "Error: You are not in a Git repository." >&2 - exit 1 - fi - fi - - if [ -z "$BRANCH_NAME" ] || [ -z "$GITHUB_TOKEN" ]; then - usage - fi - - validate_dependencies - detect_modified_modules - run_ecs_generator # Exit if no changes on relevant modules. - clone_target_repo - commit_and_push_changes # Exit if no changes detected. - create_or_update_pr -} - -main "$@" diff --git a/ecs/states-fim/event-generator/event_generator.py b/ecs/states-fim/event-generator/event_generator.py deleted file mode 100644 index 5cd14d0b389c2..0000000000000 --- a/ecs/states-fim/event-generator/event_generator.py +++ /dev/null @@ -1,211 +0,0 @@ -#!/bin/python3 - -import datetime -import json -import logging -import random -import requests -import urllib3 - -# Constants and Configuration -LOG_FILE = 'generate_data.log' -GENERATED_DATA_FILE = 'generatedData.json' -DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" -# Default values -INDEX_NAME = "wazuh-states-fim" -USERNAME = "admin" -PASSWORD = "admin" -IP = "127.0.0.1" -PORT = "9200" - -# Configure logging -logging.basicConfig(filename=LOG_FILE, level=logging.INFO) - -# Suppress warnings -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - - -def generate_random_date(): - start_date = datetime.datetime.now() - end_date = start_date - datetime.timedelta(days=10) - random_date = start_date + (end_date - start_date) * random.random() - return random_date.strftime(DATE_FORMAT) - - -def generate_random_agent(): - agent = { - 'id': f'agent{random.randint(0, 99)}', - 'name': f'Agent{random.randint(0, 99)}', - 'type': random.choice(['filebeat', 'windows', 'linux', 'macos']), - 'version': f'v{random.randint(0, 9)}-stable', - 'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'], - 'host': generate_random_host() - } - return agent - - -def generate_random_host(): - host = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'boot': { - 'id': f'bootid{random.randint(0, 9999)}' - }, - 'cpu': { - 'usage': random.uniform(0, 100) - }, - 'disk': { - 'read': { - 'bytes': random.randint(1000, 1000000) - }, - 'write': { - 'bytes': random.randint(1000, 1000000) - } - }, - 'domain': f'domain{random.randint(0, 1000)}', - 'geo': { - 'city_name': 'CityName', - 'continent_code': 'NA', - 'continent_name': 'North America', - 'country_iso_code': 'US', - 'country_name': 'United States', - 'location': { - 'lat': round(random.uniform(-90, 90), 6), - 'lon': round(random.uniform(-180, 180), 6) - }, - 'name': f'hostname{random.randint(0, 999)}', - 'postal_code': f'{random.randint(10000, 99999)}', - 'region_iso_code': 'US-CA', - 'region_name': 'California', - 'timezone': 'America/Los_Angeles' - }, - 'hostname': f'host{random.randint(0, 1000)}', - 'id': f'id{random.randint(0, 1000)}', - 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', - 'name': f'host{random.randint(0, 1000)}', - 'network': { - 'egress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - }, - 'ingress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - } - }, - 'os': { - 'family': random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']), - 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', - 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', - 'name': random.choice(['Linux', 'Windows', 'macOS']), - 'platform': random.choice(['platform1', 'platform2']), - 'type': random.choice(['os_type1', 'os_type2']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - }, - 'pid_ns_ino': f'pid_ns{random.randint(0, 9999)}', - 'risk': { - 'calculated_level': random.choice(['low', 'medium', 'high']), - 'calculated_score': random.uniform(0, 10), - 'calculated_score_norm': random.uniform(0, 1), - 'static_level': random.choice(['low', 'medium', 'high']), - 'static_score': random.uniform(0, 10), - 'static_score_norm': random.uniform(0, 1) - }, - 'type': random.choice(['type1', 'type2']), - 'uptime': random.randint(1000, 1000000) - } - return host - - -def generate_random_file(): - file = { - 'attributes': random.choice(['attribute1', 'attribute2']), - 'gid': f'gid{random.randint(0, 1000)}', - 'group': f'group{random.randint(0, 1000)}', - 'hash': { - 'md5': f'{random.randint(0, 9999)}', - 'sha1': f'{random.randint(0, 9999)}', - 'sha256': f'{random.randint(0, 9999)}' - }, - 'inode': f'inode{random.randint(0, 1000)}', - 'mode': f'mode{random.randint(0, 1000)}', - 'mtime': generate_random_date(), - 'name': f'name{random.randint(0, 1000)}', - 'owner': f'owner{random.randint(0, 1000)}', - 'path': f'/path/to/file', - 'size': random.randint(1000, 1000000), - 'target_path': f'/path/to/target{random.randint(0, 1000)}', - 'type': random.choice(['file_type1', 'file_type2']), - 'uid': f'uid{random.randint(0, 1000)}' - } - return file - - -def generate_random_registry(): - registry = { - 'key': f'registry_key{random.randint(0, 1000)}', - 'value': f'registry_value{random.randint(0, 1000)}' - } - return registry - - -def generate_random_data(number): - data = [] - for _ in range(number): - event_data = { - 'agent': generate_random_agent(), - 'file': generate_random_file(), - 'registry': generate_random_registry() - } - data.append(event_data) - return data - - -def inject_events(ip, port, index, username, password, data): - url = f'https://{ip}:{port}/{index}/_doc' - session = requests.Session() - session.auth = (username, password) - session.verify = False - headers = {'Content-Type': 'application/json'} - - try: - for event_data in data: - response = session.post(url, json=event_data, headers=headers) - if response.status_code != 201: - logging.error(f'Error: {response.status_code}') - logging.error(response.text) - break - logging.info('Data injection completed successfully.') - except Exception as e: - logging.error(f'Error: {str(e)}') - - -def main(): - try: - number = int(input("How many events do you want to generate? ")) - except ValueError: - logging.error("Invalid input. Please enter a valid number.") - return - - logging.info(f"Generating {number} events...") - data = generate_random_data(number) - - with open(GENERATED_DATA_FILE, 'a') as outfile: - for event_data in data: - json.dump(event_data, outfile) - outfile.write('\n') - - logging.info('Data generation completed.') - - inject = input("Do you want to inject the generated data into your indexer? (y/n) ").strip().lower() - if inject == 'y': - ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP - port = input(f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT - index = input(f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME - username = input(f"Username (default: '{USERNAME}'): ") or USERNAME - password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD - inject_events(ip, port, index, username, password, data) - - -if __name__ == "__main__": - main() diff --git a/ecs/states-fim/fields/custom/agent.yml b/ecs/states-fim/fields/custom/agent.yml deleted file mode 100644 index fd3cb2e6c41c9..0000000000000 --- a/ecs/states-fim/fields/custom/agent.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: agent - title: Wazuh Agents - short: Wazuh Inc. custom fields. - type: group - group: 2 - fields: - - name: groups - type: keyword - level: custom - description: > - List of groups the agent belong to. \ No newline at end of file diff --git a/ecs/states-fim/fields/custom/host.yml b/ecs/states-fim/fields/custom/host.yml deleted file mode 100644 index a0356d13da657..0000000000000 --- a/ecs/states-fim/fields/custom/host.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: host - reusable: - top_level: true - expected: - - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/states-fim/fields/custom/os.yml b/ecs/states-fim/fields/custom/os.yml deleted file mode 100644 index 952c2d6e93a40..0000000000000 --- a/ecs/states-fim/fields/custom/os.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: os - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-fim/fields/custom/risk.yml b/ecs/states-fim/fields/custom/risk.yml deleted file mode 100644 index 1c06213bc6205..0000000000000 --- a/ecs/states-fim/fields/custom/risk.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: risk - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-fim/fields/mapping-settings.json b/ecs/states-fim/fields/mapping-settings.json deleted file mode 100644 index 0ad2b48fcc1be..0000000000000 --- a/ecs/states-fim/fields/mapping-settings.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "dynamic": "strict", - "date_detection": false -} \ No newline at end of file diff --git a/ecs/states-fim/fields/subset.yml b/ecs/states-fim/fields/subset.yml deleted file mode 100644 index 7eab78e238a21..0000000000000 --- a/ecs/states-fim/fields/subset.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -name: wazuh-states-fim -fields: - base: - fields: - tags: [] - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - file: - fields: - attributes: {} - name: {} - path: {} - gid: {} - group: {} - inode: {} - hash: - fields: - md5: {} - sha1: {} - sha256: {} - mtime: {} - mode: {} - size: {} - target_path: {} - type: {} - uid: {} - owner: {} - registry: - fields: - key: {} - value: {} diff --git a/ecs/states-fim/fields/template-settings-legacy.json b/ecs/states-fim/fields/template-settings-legacy.json deleted file mode 100644 index 91c05d65c44cf..0000000000000 --- a/ecs/states-fim/fields/template-settings-legacy.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "index_patterns": ["wazuh-states-fim*"], - "order": 1, - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "file.name", - "file.path", - "file.target_path", - "file.group", - "file.uid", - "file.gid" - ] - } - } -} diff --git a/ecs/states-fim/fields/template-settings.json b/ecs/states-fim/fields/template-settings.json deleted file mode 100644 index 4ecb7b7d3831c..0000000000000 --- a/ecs/states-fim/fields/template-settings.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "index_patterns": ["wazuh-states-fim*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "file.name", - "file.path", - "file.target_path", - "file.group", - "file.uid", - "file.gid" - ] - } - } - } -} diff --git a/ecs/states-inventory-hardware/event-generator/event_generator.py b/ecs/states-inventory-hardware/event-generator/event_generator.py deleted file mode 100644 index 680410b72f29b..0000000000000 --- a/ecs/states-inventory-hardware/event-generator/event_generator.py +++ /dev/null @@ -1,219 +0,0 @@ -#!/bin/python3 - -import datetime -import json -import logging -import random -import requests -import urllib3 - -# Constants and Configuration -LOG_FILE = 'generate_data.log' -GENERATED_DATA_FILE = 'generatedData.json' -DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" -# Default values -INDEX_NAME = "wazuh-states-inventory-hardware" -USERNAME = "admin" -PASSWORD = "admin" -IP = "127.0.0.1" -PORT = "9200" - -# Configure logging -logging.basicConfig(filename=LOG_FILE, level=logging.INFO) - -# Suppress warnings -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - - -def generate_random_date(): - start_date = datetime.datetime.now() - end_date = start_date - datetime.timedelta(days=10) - random_date = start_date + (end_date - start_date) * random.random() - return random_date.strftime(DATE_FORMAT) - - -def generate_random_agent(): - agent = { - 'id': f'agent{random.randint(0, 99)}', - 'name': f'Agent{random.randint(0, 99)}', - 'type': random.choice(['filebeat', 'windows', 'linux', 'macos']), - 'version': f'v{random.randint(0, 9)}-stable', - 'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'], - 'host': generate_random_host(False) - } - return agent - - -def generate_random_host(is_root_level=False): - if is_root_level: - host = { - 'cpu': { - 'cores': random.randint(1, 16), - 'name': f'CPU{random.randint(1, 999)}', - 'speed': random.randint(1000, 5000), - 'usage': random.uniform(0, 100) - }, - 'memory': { - 'free': random.randint(1000, 100000), - 'total': random.randint(1000, 100000), - 'used': { - 'percentage': random.uniform(0, 100) - } - } - } - else: - host = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'boot': { - 'id': f'bootid{random.randint(0, 9999)}' - }, - 'cpu': { - 'cores': random.randint(1, 16), - 'name': f'CPU{random.randint(1, 999)}', - 'speed': random.randint(1000, 5000), - 'usage': random.uniform(0, 100) - }, - 'disk': { - 'read': { - 'bytes': random.randint(1000, 1000000) - }, - 'write': { - 'bytes': random.randint(1000, 1000000) - } - }, - 'domain': f'domain{random.randint(0, 1000)}', - 'geo': generate_random_geo(), - 'hostname': f'host{random.randint(0, 1000)}', - 'id': f'id{random.randint(0, 1000)}', - 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', - 'memory': { - 'free': random.randint(1000, 100000), - 'total': random.randint(1000, 100000), - 'used': { - 'percentage': random.uniform(0, 100) - } - }, - 'name': f'host{random.randint(0, 1000)}', - 'network': { - 'egress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - }, - 'ingress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - } - }, - 'os': { - 'family': random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']), - 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', - 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', - 'name': random.choice(['Linux', 'Windows', 'macOS']), - 'platform': random.choice(['platform1', 'platform2']), - 'type': random.choice(['os_type1', 'os_type2']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - }, - 'pid_ns_ino': f'pid_ns{random.randint(0, 9999)}', - 'risk': { - 'calculated_level': random.choice(['low', 'medium', 'high']), - 'calculated_score': random.uniform(0, 10), - 'calculated_score_norm': random.uniform(0, 1), - 'static_level': random.choice(['low', 'medium', 'high']), - 'static_score': random.uniform(0, 10), - 'static_score_norm': random.uniform(0, 1) - }, - 'type': random.choice(['type1', 'type2']), - 'uptime': random.randint(1000, 1000000) - } - return host - - -def generate_random_geo(): - geo = { - 'city_name': 'CityName', - 'continent_code': 'NA', - 'continent_name': 'North America', - 'country_iso_code': 'US', - 'country_name': 'United States', - 'location': { - 'lat': round(random.uniform(-90, 90), 6), - 'lon': round(random.uniform(-180, 180), 6) - }, - 'name': f'location{random.randint(0, 999)}', - 'postal_code': f'{random.randint(10000, 99999)}', - 'region_iso_code': 'US-CA', - 'region_name': 'California', - 'timezone': 'America/Los_Angeles' - } - return geo - - -def generate_random_observer(): - observer = { - 'serial_number': f'serial{random.randint(0, 9999)}' - } - return observer - - -def generate_random_data(number): - data = [] - for _ in range(number): - event_data = { - '@timestamp': generate_random_date(), - 'agent': generate_random_agent(), - 'host': generate_random_host(True), - 'observer': generate_random_observer() - } - data.append(event_data) - return data - - -def inject_events(ip, port, index, username, password, data): - url = f'https://{ip}:{port}/{index}/_doc' - session = requests.Session() - session.auth = (username, password) - session.verify = False - headers = {'Content-Type': 'application/json'} - - try: - for event_data in data: - response = session.post(url, json=event_data, headers=headers) - if response.status_code != 201: - logging.error(f'Error: {response.status_code}') - logging.error(response.text) - break - logging.info('Data injection completed successfully.') - except Exception as e: - logging.error(f'Error: {str(e)}') - - -def main(): - try: - number = int(input("How many events do you want to generate? ")) - except ValueError: - logging.error("Invalid input. Please enter a valid number.") - return - - logging.info(f"Generating {number} events...") - data = generate_random_data(number) - - with open(GENERATED_DATA_FILE, 'a') as outfile: - for event_data in data: - json.dump(event_data, outfile) - outfile.write('\n') - - logging.info('Data generation completed.') - - inject = input("Do you want to inject the generated data into your indexer? (y/n) ").strip().lower() - if inject == 'y': - ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP - port = input(f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT - index = input(f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME - username = input(f"Username (default: '{USERNAME}'): ") or USERNAME - password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD - inject_events(ip, port, index, username, password, data) - - -if __name__ == "__main__": - main() diff --git a/ecs/states-inventory-hardware/fields/custom/agent.yml b/ecs/states-inventory-hardware/fields/custom/agent.yml deleted file mode 100644 index 9feecf4e2da98..0000000000000 --- a/ecs/states-inventory-hardware/fields/custom/agent.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: agent - title: Wazuh Agents - short: Wazuh Inc. custom fields. - type: group - group: 2 - fields: - - name: groups - type: keyword - level: custom - description: > - List of groups the agent belong to. diff --git a/ecs/states-inventory-hardware/fields/custom/host.yml b/ecs/states-inventory-hardware/fields/custom/host.yml deleted file mode 100644 index 7df6e4dacae6d..0000000000000 --- a/ecs/states-inventory-hardware/fields/custom/host.yml +++ /dev/null @@ -1,52 +0,0 @@ ---- -- name: host - reusable: - top_level: true - expected: - - { at: agent, as: host } - fields: - - name: memory - description: > - Memory related data - type: object - level: custom - - name: memory.total - description: > - Total memory in MB - type: long - level: custom - - name: memory.free - description: > - Free memory in MB - type: long - level: custom - - name: memory.used - description: > - Used memory related data - type: object - level: custom - - name: memory.used.percentage - description: > - Used memory percentage - type: long - level: custom - - name: cpu - description: > - CPU related data - type: object - level: custom - - name: cpu.name - description: > - CPU Model name - type: keyword - level: custom - - name: cpu.cores - description: > - Number of CPU cores - type: long - level: custom - - name: cpu.speed - description: > - CPU clock speed - type: long - level: custom \ No newline at end of file diff --git a/ecs/states-inventory-hardware/fields/custom/os.yml b/ecs/states-inventory-hardware/fields/custom/os.yml deleted file mode 100644 index 952c2d6e93a40..0000000000000 --- a/ecs/states-inventory-hardware/fields/custom/os.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: os - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-hardware/fields/custom/risk.yml b/ecs/states-inventory-hardware/fields/custom/risk.yml deleted file mode 100644 index 1c06213bc6205..0000000000000 --- a/ecs/states-inventory-hardware/fields/custom/risk.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: risk - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-hardware/fields/mapping-settings.json b/ecs/states-inventory-hardware/fields/mapping-settings.json deleted file mode 100644 index 0ad2b48fcc1be..0000000000000 --- a/ecs/states-inventory-hardware/fields/mapping-settings.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "dynamic": "strict", - "date_detection": false -} \ No newline at end of file diff --git a/ecs/states-inventory-hardware/fields/subset.yml b/ecs/states-inventory-hardware/fields/subset.yml deleted file mode 100644 index 74f2992a6ae9b..0000000000000 --- a/ecs/states-inventory-hardware/fields/subset.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -name: wazuh-states-inventory-hardware -fields: - base: - fields: - tags: [] - "@timestamp": {} - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - observer: - fields: - serial_number: {} - host: - fields: - memory: - fields: "*" - cpu: - fields: "*" diff --git a/ecs/states-inventory-hardware/fields/template-settings-legacy.json b/ecs/states-inventory-hardware/fields/template-settings-legacy.json deleted file mode 100644 index b2281742d219e..0000000000000 --- a/ecs/states-inventory-hardware/fields/template-settings-legacy.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "index_patterns": ["wazuh-states-inventory-hardware*"], - "order": 1, - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "observer.board_serial" - ] - } - } -} diff --git a/ecs/states-inventory-hardware/fields/template-settings.json b/ecs/states-inventory-hardware/fields/template-settings.json deleted file mode 100644 index d8cf7b772921c..0000000000000 --- a/ecs/states-inventory-hardware/fields/template-settings.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "index_patterns": [ - "wazuh-states-inventory-hardware*" - ], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "observer.board_serial" - ] - } - } - } -} \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/event-generator/event_generator.py b/ecs/states-inventory-hotfixes/event-generator/event_generator.py deleted file mode 100644 index 048315afb8313..0000000000000 --- a/ecs/states-inventory-hotfixes/event-generator/event_generator.py +++ /dev/null @@ -1,193 +0,0 @@ -#!/bin/python3 - -import datetime -import json -import logging -import random -import requests -import urllib3 - -# Constants and Configuration -LOG_FILE = 'generate_data.log' -GENERATED_DATA_FILE = 'generatedData.json' -DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" -# Default values -INDEX_NAME = "wazuh-states-inventory-hotfixes" -USERNAME = "admin" -PASSWORD = "admin" -IP = "127.0.0.1" -PORT = "9200" - -# Configure logging -logging.basicConfig(filename=LOG_FILE, level=logging.INFO) - -# Suppress warnings -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - - -def generate_random_date(): - start_date = datetime.datetime.now() - end_date = start_date - datetime.timedelta(days=10) - random_date = start_date + (end_date - start_date) * random.random() - return random_date.strftime(DATE_FORMAT) - - -def generate_random_agent(): - agent = { - 'id': f'agent{random.randint(0, 99)}', - 'name': f'Agent{random.randint(0, 99)}', - 'type': random.choice(['filebeat', 'windows', 'linux', 'macos']), - 'version': f'v{random.randint(0, 9)}-stable', - 'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'], - 'host': generate_random_host() - } - return agent - - -def generate_random_host(): - host = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'boot': { - 'id': f'bootid{random.randint(0, 9999)}' - }, - 'cpu': { - 'usage': random.uniform(0, 100) - }, - 'disk': { - 'read': { - 'bytes': random.randint(1000, 1000000) - }, - 'write': { - 'bytes': random.randint(1000, 1000000) - } - }, - 'domain': f'domain{random.randint(0, 1000)}', - 'geo': generate_random_geo(), - 'hostname': f'host{random.randint(0, 1000)}', - 'id': f'id{random.randint(0, 1000)}', - 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', - 'name': f'host{random.randint(0, 1000)}', - 'network': { - 'egress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - }, - 'ingress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - } - }, - 'os': { - 'family': random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']), - 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', - 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', - 'name': random.choice(['Linux', 'Windows', 'macOS']), - 'platform': random.choice(['platform1', 'platform2']), - 'type': random.choice(['os_type1', 'os_type2']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - }, - 'pid_ns_ino': f'pid_ns{random.randint(0, 9999)}', - 'risk': { - 'calculated_level': random.choice(['low', 'medium', 'high']), - 'calculated_score': random.uniform(0, 10), - 'calculated_score_norm': random.uniform(0, 1), - 'static_level': random.choice(['low', 'medium', 'high']), - 'static_score': random.uniform(0, 10), - 'static_score_norm': random.uniform(0, 1) - }, - 'type': random.choice(['type1', 'type2']), - 'uptime': random.randint(1000, 1000000) - } - return host - - -def generate_random_geo(): - geo = { - 'city_name': 'CityName', - 'continent_code': 'NA', - 'continent_name': 'North America', - 'country_iso_code': 'US', - 'country_name': 'United States', - 'location': { - 'lat': round(random.uniform(-90, 90), 6), - 'lon': round(random.uniform(-180, 180), 6) - }, - 'name': f'location{random.randint(0, 999)}', - 'postal_code': f'{random.randint(10000, 99999)}', - 'region_iso_code': 'US-CA', - 'region_name': 'California', - 'timezone': 'America/Los_Angeles' - } - return geo - - -def generate_random_package(): - package = { - 'hotfix': { - 'name': f'hotfix{random.randint(0, 9999)}' - } - } - return package - - -def generate_random_data(number): - data = [] - for _ in range(number): - event_data = { - '@timestamp': generate_random_date(), - 'agent': generate_random_agent(), - 'package': generate_random_package() - } - data.append(event_data) - return data - - -def inject_events(ip, port, index, username, password, data): - url = f'https://{ip}:{port}/{index}/_doc' - session = requests.Session() - session.auth = (username, password) - session.verify = False - headers = {'Content-Type': 'application/json'} - - try: - for event_data in data: - response = session.post(url, json=event_data, headers=headers) - if response.status_code != 201: - logging.error(f'Error: {response.status_code}') - logging.error(response.text) - break - logging.info('Data injection completed successfully.') - except Exception as e: - logging.error(f'Error: {str(e)}') - - -def main(): - try: - number = int(input("How many events do you want to generate? ")) - except ValueError: - logging.error("Invalid input. Please enter a valid number.") - return - - logging.info(f"Generating {number} events...") - data = generate_random_data(number) - - with open(GENERATED_DATA_FILE, 'a') as outfile: - for event_data in data: - json.dump(event_data, outfile) - outfile.write('\n') - - logging.info('Data generation completed.') - - inject = input("Do you want to inject the generated data into your indexer? (y/n) ").strip().lower() - if inject == 'y': - ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP - port = input(f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT - index = input(f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME - username = input(f"Username (default: '{USERNAME}'): ") or USERNAME - password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD - inject_events(ip, port, index, username, password, data) - - -if __name__ == "__main__": - main() diff --git a/ecs/states-inventory-hotfixes/fields/custom/agent.yml b/ecs/states-inventory-hotfixes/fields/custom/agent.yml deleted file mode 100644 index 9feecf4e2da98..0000000000000 --- a/ecs/states-inventory-hotfixes/fields/custom/agent.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: agent - title: Wazuh Agents - short: Wazuh Inc. custom fields. - type: group - group: 2 - fields: - - name: groups - type: keyword - level: custom - description: > - List of groups the agent belong to. diff --git a/ecs/states-inventory-hotfixes/fields/custom/host.yml b/ecs/states-inventory-hotfixes/fields/custom/host.yml deleted file mode 100644 index a0356d13da657..0000000000000 --- a/ecs/states-inventory-hotfixes/fields/custom/host.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: host - reusable: - top_level: true - expected: - - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/fields/custom/os.yml b/ecs/states-inventory-hotfixes/fields/custom/os.yml deleted file mode 100644 index 952c2d6e93a40..0000000000000 --- a/ecs/states-inventory-hotfixes/fields/custom/os.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: os - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/fields/custom/package.yml b/ecs/states-inventory-hotfixes/fields/custom/package.yml deleted file mode 100644 index deee7e1a03e63..0000000000000 --- a/ecs/states-inventory-hotfixes/fields/custom/package.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: package - title: Package - type: group - group: 2 - description: > - Package related data. - fields: - - name: hotfix - type: object - level: custom - group: 2 - description: > - Hotfix related data. - - name: hotfix.name - type: keyword - level: custom - description: > - Name of the Hotfix. \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/fields/custom/risk.yml b/ecs/states-inventory-hotfixes/fields/custom/risk.yml deleted file mode 100644 index 1c06213bc6205..0000000000000 --- a/ecs/states-inventory-hotfixes/fields/custom/risk.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: risk - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/fields/mapping-settings.json b/ecs/states-inventory-hotfixes/fields/mapping-settings.json deleted file mode 100644 index 0ad2b48fcc1be..0000000000000 --- a/ecs/states-inventory-hotfixes/fields/mapping-settings.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "dynamic": "strict", - "date_detection": false -} \ No newline at end of file diff --git a/ecs/states-inventory-hotfixes/fields/subset.yml b/ecs/states-inventory-hotfixes/fields/subset.yml deleted file mode 100644 index 3cbf6f38f132f..0000000000000 --- a/ecs/states-inventory-hotfixes/fields/subset.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -name: wazuh-states-inventory-hotfixes -fields: - base: - fields: - tags: [] - "@timestamp": {} - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - package: - fields: - hotfix: - fields: - name: {} diff --git a/ecs/states-inventory-hotfixes/fields/template-settings-legacy.json b/ecs/states-inventory-hotfixes/fields/template-settings-legacy.json deleted file mode 100644 index 390711717339d..0000000000000 --- a/ecs/states-inventory-hotfixes/fields/template-settings-legacy.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "index_patterns": ["wazuh-states-inventory-hotfixes*"], - "order": 1, - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "package.hotfix.name" - ] - } - } -} diff --git a/ecs/states-inventory-hotfixes/fields/template-settings.json b/ecs/states-inventory-hotfixes/fields/template-settings.json deleted file mode 100644 index 0312d23702aa4..0000000000000 --- a/ecs/states-inventory-hotfixes/fields/template-settings.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "index_patterns": [ - "wazuh-states-inventory-hotfixes*" - ], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "package.hotfix.name" - ] - } - } - } -} \ No newline at end of file diff --git a/ecs/states-inventory-networks/event-generator/event_generator.py b/ecs/states-inventory-networks/event-generator/event_generator.py deleted file mode 100644 index 46c479d8a8e65..0000000000000 --- a/ecs/states-inventory-networks/event-generator/event_generator.py +++ /dev/null @@ -1,247 +0,0 @@ -#!/bin/python3 - -import datetime -import json -import logging -import random -import requests -import urllib3 - -# Constants and Configuration -LOG_FILE = 'generate_data.log' -GENERATED_DATA_FILE = 'generatedData.json' -DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" -# Default values -INDEX_NAME = "wazuh-states-inventory-networks" -USERNAME = "admin" -PASSWORD = "admin" -IP = "127.0.0.1" -PORT = "9200" - -# Configure logging -logging.basicConfig(filename=LOG_FILE, level=logging.INFO) - -# Suppress warnings -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - - -def generate_random_date(): - start_date = datetime.datetime.now() - end_date = start_date - datetime.timedelta(days=10) - random_date = start_date + (end_date - start_date) * random.random() - return random_date.strftime(DATE_FORMAT) - - -def generate_random_agent(): - agent = { - 'id': f'agent{random.randint(0, 99)}', - 'name': f'Agent{random.randint(0, 99)}', - 'type': random.choice(['filebeat', 'windows', 'linux', 'macos']), - 'version': f'v{random.randint(0, 9)}-stable', - 'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'], - 'host': generate_random_host(False) - } - return agent - - -def generate_random_host(is_root_level_level=False): - if is_root_level_level: - host = { - 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', - 'network': { - 'egress': { - 'bytes': random.randint(1000, 1000000), - 'drops': random.randint(0, 100), - 'errors': random.randint(0, 100), - 'packets': random.randint(100, 10000) - }, - 'ingress': { - 'bytes': random.randint(1000, 1000000), - 'drops': random.randint(0, 100), - 'errors': random.randint(0, 100), - 'packets': random.randint(100, 10000) - } - } - } - else: - host = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'boot': { - 'id': f'bootid{random.randint(0, 9999)}' - }, - 'cpu': { - 'usage': random.uniform(0, 100) - }, - 'disk': { - 'read': { - 'bytes': random.randint(1000, 1000000) - }, - 'write': { - 'bytes': random.randint(1000, 1000000) - } - }, - 'domain': f'domain{random.randint(0, 1000)}', - 'geo': generate_random_geo(), - 'hostname': f'host{random.randint(0, 1000)}', - 'id': f'id{random.randint(0, 1000)}', - 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', - 'name': f'host{random.randint(0, 1000)}', - 'network': { - 'egress': { - 'bytes': random.randint(1000, 1000000), - 'drops': random.randint(0, 100), - 'errors': random.randint(0, 100), - 'packets': random.randint(100, 10000) - }, - 'ingress': { - 'bytes': random.randint(1000, 1000000), - 'drops': random.randint(0, 100), - 'errors': random.randint(0, 100), - 'packets': random.randint(100, 10000) - } - }, - 'os': { - 'family': random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']), - 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', - 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', - 'name': random.choice(['Linux', 'Windows', 'macOS']), - 'platform': random.choice(['platform1', 'platform2']), - 'type': random.choice(['os_type1', 'os_type2']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - }, - 'pid_ns_ino': f'pid_ns{random.randint(0, 9999)}', - 'risk': { - 'calculated_level': random.choice(['low', 'medium', 'high']), - 'calculated_score': random.uniform(0, 10), - 'calculated_score_norm': random.uniform(0, 1), - 'static_level': random.choice(['low', 'medium', 'high']), - 'static_score': random.uniform(0, 10), - 'static_score_norm': random.uniform(0, 1) - }, - 'type': random.choice(['type1', 'type2']), - 'uptime': random.randint(1000, 1000000) - } - return host - - -def generate_random_geo(): - geo = { - 'city_name': 'CityName', - 'continent_code': 'NA', - 'continent_name': 'North America', - 'country_iso_code': 'US', - 'country_name': 'United States', - 'location': { - 'lat': round(random.uniform(-90, 90), 6), - 'lon': round(random.uniform(-180, 180), 6) - }, - 'name': f'location{random.randint(0, 999)}', - 'postal_code': f'{random.randint(10000, 99999)}', - 'region_iso_code': 'US-CA', - 'region_name': 'California', - 'timezone': 'America/Los_Angeles' - } - return geo - - -def generate_random_network(): - network = { - 'broadcast': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'dhcp': f'dhcp{random.randint(0, 9999)}', - 'gateway': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'metric': random.randint(1, 100), - 'netmask': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'protocol': random.choice(['TCP', 'UDP', 'ICMP']), - 'type': random.choice(['wired', 'wireless']) - } - return network - -def generate_random_interface(is_root_level=False): - if is_root_level: - interface = { - 'mtu': f'{random.randint(1000000, 99999999)}', - 'state': random.choice(['Active', 'Inactive', 'Unknown']), - 'type': random.choice(['wireless', 'ethernet']) - } - else: - interface = { - 'alias': f'alias{random.randint(0, 9999)}', - 'name': f'name{random.randint(0, 9999)}', - } - - return interface - -def generate_random_observer(): - observer = { - 'ingress': { - 'interface': generate_random_interface(False) - } - } - return observer - - -def generate_random_data(number): - data = [] - for _ in range(number): - event_data = { - '@timestamp': generate_random_date(), - 'agent': generate_random_agent(), - 'host': generate_random_host(True), - 'network': generate_random_network(), - 'observer': generate_random_observer(), - 'interface': generate_random_interface(True) - } - data.append(event_data) - return data - - -def inject_events(ip, port, index, username, password, data): - url = f'https://{ip}:{port}/{index}/_doc' - session = requests.Session() - session.auth = (username, password) - session.verify = False - headers = {'Content-Type': 'application/json'} - - try: - for event_data in data: - response = session.post(url, json=event_data, headers=headers) - if response.status_code != 201: - logging.error(f'Error: {response.status_code}') - logging.error(response.text) - break - logging.info('Data injection completed successfully.') - except Exception as e: - logging.error(f'Error: {str(e)}') - - -def main(): - try: - number = int(input("How many events do you want to generate? ")) - except ValueError: - logging.error("Invalid input. Please enter a valid number.") - return - - logging.info(f"Generating {number} events...") - data = generate_random_data(number) - - with open(GENERATED_DATA_FILE, 'a') as outfile: - for event_data in data: - json.dump(event_data, outfile) - outfile.write('\n') - - logging.info('Data generation completed.') - - inject = input("Do you want to inject the generated data into your indexer? (y/n) ").strip().lower() - if inject == 'y': - ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP - port = input(f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT - index = input(f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME - username = input(f"Username (default: '{USERNAME}'): ") or USERNAME - password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD - inject_events(ip, port, index, username, password, data) - - -if __name__ == "__main__": - main() diff --git a/ecs/states-inventory-networks/fields/custom/agent.yml b/ecs/states-inventory-networks/fields/custom/agent.yml deleted file mode 100644 index 9feecf4e2da98..0000000000000 --- a/ecs/states-inventory-networks/fields/custom/agent.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: agent - title: Wazuh Agents - short: Wazuh Inc. custom fields. - type: group - group: 2 - fields: - - name: groups - type: keyword - level: custom - description: > - List of groups the agent belong to. diff --git a/ecs/states-inventory-networks/fields/custom/host.yml b/ecs/states-inventory-networks/fields/custom/host.yml deleted file mode 100644 index dada3cf6c0288..0000000000000 --- a/ecs/states-inventory-networks/fields/custom/host.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -- name: host - reusable: - top_level: true - expected: - - { at: agent, as: host } - fields: - - name: network.egress.drops - type: long - level: custom - description: > - Number of dropped transmitted packets. - - name: network.egress.errors - type: long - level: custom - description: > - Number of transmission errors. - - name: network.ingress.drops - type: long - level: custom - description: > - Number of dropped received packets. - - name: network.ingress.errors - type: long - level: custom - description: > - Number of reception errors. \ No newline at end of file diff --git a/ecs/states-inventory-networks/fields/custom/interface.yml b/ecs/states-inventory-networks/fields/custom/interface.yml deleted file mode 100644 index 4d9a5625f22f0..0000000000000 --- a/ecs/states-inventory-networks/fields/custom/interface.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -- name: interface - reusable: - top_level: true - expected: - - { at: observer.egress.interface, as: observer.ingress.interface } - title: Interface - type: group - group: 2 - description: > - Network interface related data. - fields: - - name: mtu - type: long - level: custom - description: > - Maximum transmission unit size. - - name: state - type: keyword - level: custom - description: > - State of the network interface. - - name: type - type: keyword - level: custom - description: > - Interface type. diff --git a/ecs/states-inventory-networks/fields/custom/network.yml b/ecs/states-inventory-networks/fields/custom/network.yml deleted file mode 100644 index 2387fdd645b68..0000000000000 --- a/ecs/states-inventory-networks/fields/custom/network.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- -- name: network - title: Network - type: group - group: 2 - description: > - Network related data. - fields: - - name: broadcast - type: ip - level: custom - description: > - Broadcast address - - name: dhcp - type: keyword - level: custom - description: > - DHCP status (enabled, disabled, unknown, BOOTP) - - name: gateway - type: ip - level: custom - description: > - Gateway address - - name: metric - type: long - level: custom - description: > - Metric of the network protocol - - name: netmask - type: ip - level: custom - description: > - Network mask diff --git a/ecs/states-inventory-networks/fields/custom/os.yml b/ecs/states-inventory-networks/fields/custom/os.yml deleted file mode 100644 index 952c2d6e93a40..0000000000000 --- a/ecs/states-inventory-networks/fields/custom/os.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: os - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-networks/fields/custom/risk.yml b/ecs/states-inventory-networks/fields/custom/risk.yml deleted file mode 100644 index 1c06213bc6205..0000000000000 --- a/ecs/states-inventory-networks/fields/custom/risk.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: risk - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-networks/fields/mapping-settings.json b/ecs/states-inventory-networks/fields/mapping-settings.json deleted file mode 100644 index 0ad2b48fcc1be..0000000000000 --- a/ecs/states-inventory-networks/fields/mapping-settings.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "dynamic": "strict", - "date_detection": false -} \ No newline at end of file diff --git a/ecs/states-inventory-networks/fields/subset.yml b/ecs/states-inventory-networks/fields/subset.yml deleted file mode 100644 index 24392a19582a2..0000000000000 --- a/ecs/states-inventory-networks/fields/subset.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- -name: wazuh-states-inventory-networks -fields: - base: - fields: - tags: [] - "@timestamp": {} - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - host: - fields: "*" - interface: - fields: - mtu: {} - state: {} - type: {} - network: - fields: - broadcast: {} - dhcp: {} - gateway: {} - metric: {} - netmask: {} - protocol: {} - type: {} - observer: - fields: - ingress: - fields: - interface: - fields: - alias: {} - name: {} diff --git a/ecs/states-inventory-networks/fields/template-settings-legacy.json b/ecs/states-inventory-networks/fields/template-settings-legacy.json deleted file mode 100644 index 1f45768296427..0000000000000 --- a/ecs/states-inventory-networks/fields/template-settings-legacy.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "index_patterns": ["wazuh-states-inventory-networks*"], - "order": 1, - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "device.id", - "event.id", - "host.ip", - "observer.ingress.interface.name", - "observer.ingress.interface.alias", - "process.name" - ] - } - } -} diff --git a/ecs/states-inventory-networks/fields/template-settings.json b/ecs/states-inventory-networks/fields/template-settings.json deleted file mode 100644 index a5607e1012689..0000000000000 --- a/ecs/states-inventory-networks/fields/template-settings.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "index_patterns": [ - "wazuh-states-inventory-networks*" - ], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "device.id", - "event.id", - "host.ip", - "observer.ingress.interface.name", - "observer.ingress.interface.alias", - "process.name" - ] - } - } - } -} \ No newline at end of file diff --git a/ecs/states-inventory-packages/event-generator/event_generator.py b/ecs/states-inventory-packages/event-generator/event_generator.py deleted file mode 100644 index 77034d735931e..0000000000000 --- a/ecs/states-inventory-packages/event-generator/event_generator.py +++ /dev/null @@ -1,198 +0,0 @@ -#!/bin/python3 - -import datetime -import json -import logging -import random -import requests -import urllib3 - -# Constants and Configuration -LOG_FILE = 'generate_data.log' -GENERATED_DATA_FILE = 'generatedData.json' -DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" -# Default values -INDEX_NAME = "wazuh-states-inventory-packages" -USERNAME = "admin" -PASSWORD = "admin" -IP = "127.0.0.1" -PORT = "9200" - -# Configure logging -logging.basicConfig(filename=LOG_FILE, level=logging.INFO) - -# Suppress warnings -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - - -def generate_random_date(): - start_date = datetime.datetime.now() - end_date = start_date - datetime.timedelta(days=10) - random_date = start_date + (end_date - start_date) * random.random() - return random_date.strftime(DATE_FORMAT) - - -def generate_random_agent(): - agent = { - 'id': f'agent{random.randint(0, 99)}', - 'name': f'Agent{random.randint(0, 99)}', - 'type': random.choice(['filebeat', 'windows', 'linux', 'macos']), - 'version': f'v{random.randint(0, 9)}-stable', - 'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'], - 'host': generate_random_host() - } - return agent - - -def generate_random_host(): - host = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'boot': { - 'id': f'bootid{random.randint(0, 9999)}' - }, - 'cpu': { - 'usage': random.uniform(0, 100) - }, - 'disk': { - 'read': { - 'bytes': random.randint(1000, 1000000) - }, - 'write': { - 'bytes': random.randint(1000, 1000000) - } - }, - 'domain': f'domain{random.randint(0, 1000)}', - 'geo': generate_random_geo(), - 'hostname': f'host{random.randint(0, 1000)}', - 'id': f'id{random.randint(0, 1000)}', - 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', - 'name': f'host{random.randint(0, 1000)}', - 'network': { - 'egress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - }, - 'ingress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - } - }, - 'os': { - 'family': random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']), - 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', - 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', - 'name': random.choice(['Linux', 'Windows', 'macOS']), - 'platform': random.choice(['platform1', 'platform2']), - 'type': random.choice(['os_type1', 'os_type2']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - }, - 'pid_ns_ino': f'pid_ns{random.randint(0, 9999)}', - 'risk': { - 'calculated_level': random.choice(['low', 'medium', 'high']), - 'calculated_score': random.uniform(0, 10), - 'calculated_score_norm': random.uniform(0, 1), - 'static_level': random.choice(['low', 'medium', 'high']), - 'static_score': random.uniform(0, 10), - 'static_score_norm': random.uniform(0, 1) - }, - 'type': random.choice(['type1', 'type2']), - 'uptime': random.randint(1000, 1000000) - } - return host - - -def generate_random_geo(): - geo = { - 'city_name': 'CityName', - 'continent_code': 'NA', - 'continent_name': 'North America', - 'country_iso_code': 'US', - 'country_name': 'United States', - 'location': { - 'lat': round(random.uniform(-90, 90), 6), - 'lon': round(random.uniform(-180, 180), 6) - }, - 'name': f'location{random.randint(0, 999)}', - 'postal_code': f'{random.randint(10000, 99999)}', - 'region_iso_code': 'US-CA', - 'region_name': 'California', - 'timezone': 'America/Los_Angeles' - } - return geo - - -def generate_random_package(): - package = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'description': f'description{random.randint(0, 9999)}', - 'installed': generate_random_date(), - 'name': f'package{random.randint(0, 9999)}', - 'path': f'/path/to/package{random.randint(0, 9999)}', - 'size': random.randint(1000, 100000), - 'type': random.choice(['deb', 'rpm']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - } - return package - - -def generate_random_data(number): - data = [] - for _ in range(number): - event_data = { - '@timestamp': generate_random_date(), - 'agent': generate_random_agent(), - 'package': generate_random_package() - } - data.append(event_data) - return data - - -def inject_events(ip, port, index, username, password, data): - url = f'https://{ip}:{port}/{index}/_doc' - session = requests.Session() - session.auth = (username, password) - session.verify = False - headers = {'Content-Type': 'application/json'} - - try: - for event_data in data: - response = session.post(url, json=event_data, headers=headers) - if response.status_code != 201: - logging.error(f'Error: {response.status_code}') - logging.error(response.text) - break - logging.info('Data injection completed successfully.') - except Exception as e: - logging.error(f'Error: {str(e)}') - - -def main(): - try: - number = int(input("How many events do you want to generate? ")) - except ValueError: - logging.error("Invalid input. Please enter a valid number.") - return - - logging.info(f"Generating {number} events...") - data = generate_random_data(number) - - with open(GENERATED_DATA_FILE, 'a') as outfile: - for event_data in data: - json.dump(event_data, outfile) - outfile.write('\n') - - logging.info('Data generation completed.') - - inject = input("Do you want to inject the generated data into your indexer? (y/n) ").strip().lower() - if inject == 'y': - ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP - port = input(f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT - index = input(f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME - username = input(f"Username (default: '{USERNAME}'): ") or USERNAME - password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD - inject_events(ip, port, index, username, password, data) - - -if __name__ == "__main__": - main() diff --git a/ecs/states-inventory-packages/fields/custom/agent.yml b/ecs/states-inventory-packages/fields/custom/agent.yml deleted file mode 100644 index 9feecf4e2da98..0000000000000 --- a/ecs/states-inventory-packages/fields/custom/agent.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: agent - title: Wazuh Agents - short: Wazuh Inc. custom fields. - type: group - group: 2 - fields: - - name: groups - type: keyword - level: custom - description: > - List of groups the agent belong to. diff --git a/ecs/states-inventory-packages/fields/custom/host.yml b/ecs/states-inventory-packages/fields/custom/host.yml deleted file mode 100644 index 919648bc0832f..0000000000000 --- a/ecs/states-inventory-packages/fields/custom/host.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: host - reusable: - top_level: false - expected: - - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/states-inventory-packages/fields/custom/os.yml b/ecs/states-inventory-packages/fields/custom/os.yml deleted file mode 100644 index 952c2d6e93a40..0000000000000 --- a/ecs/states-inventory-packages/fields/custom/os.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: os - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-packages/fields/custom/risk.yml b/ecs/states-inventory-packages/fields/custom/risk.yml deleted file mode 100644 index 1c06213bc6205..0000000000000 --- a/ecs/states-inventory-packages/fields/custom/risk.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: risk - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-packages/fields/mapping-settings.json b/ecs/states-inventory-packages/fields/mapping-settings.json deleted file mode 100644 index 0ad2b48fcc1be..0000000000000 --- a/ecs/states-inventory-packages/fields/mapping-settings.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "dynamic": "strict", - "date_detection": false -} \ No newline at end of file diff --git a/ecs/states-inventory-packages/fields/subset.yml b/ecs/states-inventory-packages/fields/subset.yml deleted file mode 100644 index 00ebd0b231be4..0000000000000 --- a/ecs/states-inventory-packages/fields/subset.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -name: wazuh-states-inventory-packages -fields: - base: - fields: - "@timestamp": {} - tags: [] - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - package: - fields: - architecture: "" - description: "" - installed: {} - name: "" - path: "" - size: {} - type: "" - version: "" diff --git a/ecs/states-inventory-packages/fields/template-settings-legacy.json b/ecs/states-inventory-packages/fields/template-settings-legacy.json deleted file mode 100644 index ca085a0dad45d..0000000000000 --- a/ecs/states-inventory-packages/fields/template-settings-legacy.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "index_patterns": ["wazuh-states-inventory-packages*"], - "order": 1, - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "package.architecture", - "package.name", - "package.version", - "package.type" - ] - } - } -} diff --git a/ecs/states-inventory-packages/fields/template-settings.json b/ecs/states-inventory-packages/fields/template-settings.json deleted file mode 100644 index e6cd3078a8325..0000000000000 --- a/ecs/states-inventory-packages/fields/template-settings.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "index_patterns": ["wazuh-states-inventory-packages*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "package.architecture", - "package.name", - "package.version", - "package.type" - ] - } - } - } -} diff --git a/ecs/states-inventory-ports/event-generator/event_generator.py b/ecs/states-inventory-ports/event-generator/event_generator.py deleted file mode 100644 index 5f0c13a3b513c..0000000000000 --- a/ecs/states-inventory-ports/event-generator/event_generator.py +++ /dev/null @@ -1,247 +0,0 @@ -#!/bin/python3 - -import datetime -import json -import logging -import random -import requests -import urllib3 - -# Constants and Configuration -LOG_FILE = 'generate_data.log' -GENERATED_DATA_FILE = 'generatedData.json' -DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" -# Default values -INDEX_NAME = "wazuh-states-inventory-ports" -USERNAME = "admin" -PASSWORD = "admin" -IP = "127.0.0.1" -PORT = "9200" - -# Configure logging -logging.basicConfig(filename=LOG_FILE, level=logging.INFO) - -# Suppress warnings -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - - -def generate_random_date(): - start_date = datetime.datetime.now() - end_date = start_date - datetime.timedelta(days=10) - random_date = start_date + (end_date - start_date) * random.random() - return random_date.strftime(DATE_FORMAT) - - -def generate_random_agent(): - agent = { - 'id': f'agent{random.randint(0, 99)}', - 'name': f'Agent{random.randint(0, 99)}', - 'type': random.choice(['filebeat', 'windows', 'linux', 'macos']), - 'version': f'v{random.randint(0, 9)}-stable', - 'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'], - 'host': generate_random_host(False) - } - return agent - - -def generate_random_host(is_root_level=False): - if is_root_level: - host = { - 'network': { - 'egress': { - 'queue': random.randint(0, 1000) - }, - 'ingress': { - 'queue': random.randint(0, 1000) - } - } - } - else: - host = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'boot': { - 'id': f'bootid{random.randint(0, 9999)}' - }, - 'cpu': { - 'usage': random.uniform(0, 100) - }, - 'disk': { - 'read': { - 'bytes': random.randint(1000, 1000000) - }, - 'write': { - 'bytes': random.randint(1000, 1000000) - } - }, - 'domain': f'domain{random.randint(0, 1000)}', - 'geo': generate_random_geo(), - 'hostname': f'host{random.randint(0, 1000)}', - 'id': f'id{random.randint(0, 1000)}', - 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', - 'name': f'host{random.randint(0, 1000)}', - 'network': { - 'egress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000), - 'queue': random.randint(0, 1000) - }, - 'ingress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000), - 'queue': random.randint(0, 1000) - } - }, - 'os': { - 'family': random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']), - 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', - 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', - 'name': random.choice(['Linux', 'Windows', 'macOS']), - 'platform': random.choice(['platform1', 'platform2']), - 'type': random.choice(['os_type1', 'os_type2']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - }, - 'pid_ns_ino': f'pid_ns{random.randint(0, 9999)}', - 'risk': { - 'calculated_level': random.choice(['low', 'medium', 'high']), - 'calculated_score': random.uniform(0, 10), - 'calculated_score_norm': random.uniform(0, 1), - 'static_level': random.choice(['low', 'medium', 'high']), - 'static_score': random.uniform(0, 10), - 'static_score_norm': random.uniform(0, 1) - }, - 'type': random.choice(['type1', 'type2']), - 'uptime': random.randint(1000, 1000000) - } - return host - - -def generate_random_geo(): - geo = { - 'city_name': 'CityName', - 'continent_code': 'NA', - 'continent_name': 'North America', - 'country_iso_code': 'US', - 'country_name': 'United States', - 'location': { - 'lat': round(random.uniform(-90, 90), 6), - 'lon': round(random.uniform(-180, 180), 6) - }, - 'name': f'location{random.randint(0, 999)}', - 'postal_code': f'{random.randint(10000, 99999)}', - 'region_iso_code': 'US-CA', - 'region_name': 'California', - 'timezone': 'America/Los_Angeles' - } - return geo - - -def generate_random_destination(): - destination = { - 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'port': random.randint(0, 65535) - } - return destination - - -def generate_random_device(): - device = { - 'id': f'device{random.randint(0, 9999)}' - } - return device - - -def generate_random_file(): - file = { - 'inode': f'inode{random.randint(0, 9999)}' - } - return file - - -def generate_random_process(): - process = { - 'name': f'process{random.randint(0, 9999)}', - 'pid': random.randint(0, 99999) - } - return process - - -def generate_random_source(): - source = { - 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'port': random.randint(0, 65535) - } - return source - - -def generate_random_data(number): - data = [] - for _ in range(number): - event_data = { - '@timestamp': generate_random_date(), - 'agent': generate_random_agent(), - 'destination': generate_random_destination(), - 'device': generate_random_device(), - 'file': generate_random_file(), - 'host': generate_random_host(True), - 'network': { - 'protocol': random.choice(['TCP', 'UDP', 'ICMP']) - }, - 'process': generate_random_process(), - 'source': generate_random_source(), - 'interface': { - 'state': random.choice(['Active', 'Inactive', 'Unknown']) - } - } - data.append(event_data) - return data - - -def inject_events(ip, port, index, username, password, data): - url = f'https://{ip}:{port}/{index}/_doc' - session = requests.Session() - session.auth = (username, password) - session.verify = False - headers = {'Content-Type': 'application/json'} - - try: - for event_data in data: - response = session.post(url, json=event_data, headers=headers) - if response.status_code != 201: - logging.error(f'Error: {response.status_code}') - logging.error(response.text) - break - logging.info('Data injection completed successfully.') - except Exception as e: - logging.error(f'Error: {str(e)}') - - -def main(): - try: - number = int(input("How many events do you want to generate? ")) - except ValueError: - logging.error("Invalid input. Please enter a valid number.") - return - - logging.info(f"Generating {number} events...") - data = generate_random_data(number) - - with open(GENERATED_DATA_FILE, 'a') as outfile: - for event_data in data: - json.dump(event_data, outfile) - outfile.write('\n') - - logging.info('Data generation completed.') - - inject = input("Do you want to inject the generated data into your indexer? (y/n) ").strip().lower() - if inject == 'y': - ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP - port = input(f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT - index = input(f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME - username = input(f"Username (default: '{USERNAME}'): ") or USERNAME - password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD - inject_events(ip, port, index, username, password, data) - - -if __name__ == "__main__": - main() diff --git a/ecs/states-inventory-ports/fields/custom/agent.yml b/ecs/states-inventory-ports/fields/custom/agent.yml deleted file mode 100644 index 9feecf4e2da98..0000000000000 --- a/ecs/states-inventory-ports/fields/custom/agent.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: agent - title: Wazuh Agents - short: Wazuh Inc. custom fields. - type: group - group: 2 - fields: - - name: groups - type: keyword - level: custom - description: > - List of groups the agent belong to. diff --git a/ecs/states-inventory-ports/fields/custom/host.yml b/ecs/states-inventory-ports/fields/custom/host.yml deleted file mode 100644 index 1ce10e63f92d4..0000000000000 --- a/ecs/states-inventory-ports/fields/custom/host.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- name: host - reusable: - top_level: true - expected: - - { at: agent, as: host } - fields: - - name: network.ingress.queue - type: long - level: custom - description: > - Receive queue length. - - name: network.egress.queue - type: long - level: custom - description: > - Transmit queue length. \ No newline at end of file diff --git a/ecs/states-inventory-ports/fields/custom/interface.yml b/ecs/states-inventory-ports/fields/custom/interface.yml deleted file mode 100644 index e2cd63e94f3b2..0000000000000 --- a/ecs/states-inventory-ports/fields/custom/interface.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -- name: interface - reusable: - top_level: true - expected: - - { at: observer.egress.interface, as: observer.ingress.interface } - title: Interface - type: group - group: 2 - description: > - Network interface related data. - fields: - - name: state - type: keyword - level: custom - description: > - State of the network interface. diff --git a/ecs/states-inventory-ports/fields/custom/os.yml b/ecs/states-inventory-ports/fields/custom/os.yml deleted file mode 100644 index 952c2d6e93a40..0000000000000 --- a/ecs/states-inventory-ports/fields/custom/os.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: os - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-ports/fields/custom/risk.yml b/ecs/states-inventory-ports/fields/custom/risk.yml deleted file mode 100644 index 1c06213bc6205..0000000000000 --- a/ecs/states-inventory-ports/fields/custom/risk.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: risk - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-ports/fields/mapping-settings.json b/ecs/states-inventory-ports/fields/mapping-settings.json deleted file mode 100644 index 0ad2b48fcc1be..0000000000000 --- a/ecs/states-inventory-ports/fields/mapping-settings.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "dynamic": "strict", - "date_detection": false -} \ No newline at end of file diff --git a/ecs/states-inventory-ports/fields/subset.yml b/ecs/states-inventory-ports/fields/subset.yml deleted file mode 100644 index 422989cd48019..0000000000000 --- a/ecs/states-inventory-ports/fields/subset.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- -name: wazuh-states-inventory-ports -fields: - base: - fields: - tags: [] - "@timestamp": {} - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - destination: - fields: - ip: {} - port: {} - device: - fields: - id: {} - file: - fields: - inode: {} - host: - fields: - network: - fields: - egress: - fields: - queue: {} - ingress: - fields: - queue: {} - network: - fields: - protocol: {} - process: - fields: - name: {} - pid: {} - source: - fields: - ip: {} - port: {} - interface: - fields: - state: {} diff --git a/ecs/states-inventory-ports/fields/template-settings-legacy.json b/ecs/states-inventory-ports/fields/template-settings-legacy.json deleted file mode 100644 index 684b7689d70f3..0000000000000 --- a/ecs/states-inventory-ports/fields/template-settings-legacy.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "index_patterns": ["wazuh-states-inventory-ports*"], - "order": 1, - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "process.name", - "source.ip", - "destination.ip" - ] - } - } -} diff --git a/ecs/states-inventory-ports/fields/template-settings.json b/ecs/states-inventory-ports/fields/template-settings.json deleted file mode 100644 index 9324c929a4bfd..0000000000000 --- a/ecs/states-inventory-ports/fields/template-settings.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "index_patterns": [ - "wazuh-states-inventory-ports*" - ], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "process.name", - "source.ip", - "destination.ip" - ] - } - } - } -} \ No newline at end of file diff --git a/ecs/states-inventory-processes/event-generator/event_generator.py b/ecs/states-inventory-processes/event-generator/event_generator.py deleted file mode 100644 index 0cf1939a37018..0000000000000 --- a/ecs/states-inventory-processes/event-generator/event_generator.py +++ /dev/null @@ -1,223 +0,0 @@ -#!/bin/python3 - -import datetime -import json -import logging -import random -import requests -import urllib3 - -# Constants and Configuration -LOG_FILE = 'generate_data.log' -GENERATED_DATA_FILE = 'generatedData.json' -DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" -# Default values -INDEX_NAME = "wazuh-states-inventory-processes" -USERNAME = "admin" -PASSWORD = "admin" -IP = "127.0.0.1" -PORT = "9200" - -# Configure logging -logging.basicConfig(filename=LOG_FILE, level=logging.INFO) - -# Suppress warnings -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - - -def generate_random_date(): - start_date = datetime.datetime.now() - end_date = start_date - datetime.timedelta(days=10) - random_date = start_date + (end_date - start_date) * random.random() - return random_date.strftime(DATE_FORMAT) - - -def generate_random_agent(): - agent = { - 'id': f'agent{random.randint(0, 99)}', - 'name': f'Agent{random.randint(0, 99)}', - 'type': random.choice(['filebeat', 'windows', 'linux', 'macos']), - 'version': f'v{random.randint(0, 9)}-stable', - 'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'], - 'host': generate_random_host() - } - return agent - - -def generate_random_host(): - host = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'boot': { - 'id': f'bootid{random.randint(0, 9999)}' - }, - 'cpu': { - 'usage': random.uniform(0, 100) - }, - 'disk': { - 'read': { - 'bytes': random.randint(1000, 1000000) - }, - 'write': { - 'bytes': random.randint(1000, 1000000) - } - }, - 'domain': f'domain{random.randint(0, 1000)}', - 'geo': generate_random_geo(), - 'hostname': f'host{random.randint(0, 1000)}', - 'id': f'id{random.randint(0, 1000)}', - 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', - 'name': f'host{random.randint(0, 1000)}', - 'network': { - 'egress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - }, - 'ingress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - } - }, - 'os': { - 'family': random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']), - 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', - 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', - 'name': random.choice(['Linux', 'Windows', 'macOS']), - 'platform': random.choice(['platform1', 'platform2']), - 'type': random.choice(['os_type1', 'os_type2']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - }, - 'pid_ns_ino': f'pid_ns{random.randint(0, 9999)}', - 'risk': { - 'calculated_level': random.choice(['low', 'medium', 'high']), - 'calculated_score': random.uniform(0, 10), - 'calculated_score_norm': random.uniform(0, 1), - 'static_level': random.choice(['low', 'medium', 'high']), - 'static_score': random.uniform(0, 10), - 'static_score_norm': random.uniform(0, 1) - }, - 'type': random.choice(['type1', 'type2']), - 'uptime': random.randint(1000, 1000000) - } - return host - - -def generate_random_geo(): - geo = { - 'city_name': 'CityName', - 'continent_code': 'NA', - 'continent_name': 'North America', - 'country_iso_code': 'US', - 'country_name': 'United States', - 'location': { - 'lat': round(random.uniform(-90, 90), 6), - 'lon': round(random.uniform(-180, 180), 6) - }, - 'name': f'location{random.randint(0, 999)}', - 'postal_code': f'{random.randint(10000, 99999)}', - 'region_iso_code': 'US-CA', - 'region_name': 'California', - 'timezone': 'America/Los_Angeles' - } - return geo - - -def generate_random_process(): - process = { - 'args': f'arg{random.randint(0, 9999)}', - 'command_line': f'command{random.randint(0, 9999)}', - 'group': { - 'id': f'groupid{random.randint(0, 9999)}' - }, - 'name': f'process{random.randint(0, 9999)}', - 'parent': { - 'pid': random.randint(1, 9999) - }, - 'pid': random.randint(1, 9999), - 'real_group': { - 'id': f'realgroupid{random.randint(0, 9999)}' - }, - 'real_user': { - 'id': f'realuserid{random.randint(0, 9999)}' - }, - 'saved_group': { - 'id': f'savedgroupid{random.randint(0, 9999)}' - }, - 'saved_user': { - 'id': f'saveduserid{random.randint(0, 9999)}' - }, - 'start': generate_random_date(), - 'thread': { - 'id': random.randint(1, 9999) - }, - 'user': { - 'id': f'userid{random.randint(0, 9999)}' - }, - 'tty': { - 'char_device': { - 'major': random.randint(0, 5) - } - } - } - return process - - -def generate_random_data(number): - data = [] - for _ in range(number): - event_data = { - '@timestamp': generate_random_date(), - 'agent': generate_random_agent(), - 'process': generate_random_process() - } - data.append(event_data) - return data - -def inject_events(ip, port, index, username, password, data): - url = f'https://{ip}:{port}/{index}/_doc' - session = requests.Session() - session.auth = (username, password) - session.verify = False - headers = {'Content-Type': 'application/json'} - - try: - for event_data in data: - response = session.post(url, json=event_data, headers=headers) - if response.status_code != 201: - logging.error(f'Error: {response.status_code}') - logging.error(response.text) - break - logging.info('Data injection completed successfully.') - except Exception as e: - logging.error(f'Error: {str(e)}') - - -def main(): - try: - number = int(input("How many events do you want to generate? ")) - except ValueError: - logging.error("Invalid input. Please enter a valid number.") - return - - logging.info(f"Generating {number} events...") - data = generate_random_data(number) - - with open(GENERATED_DATA_FILE, 'a') as outfile: - for event_data in data: - json.dump(event_data, outfile) - outfile.write('\n') - - logging.info('Data generation completed.') - - inject = input("Do you want to inject the generated data into your indexer? (y/n) ").strip().lower() - if inject == 'y': - ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP - port = input(f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT - index = input(f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME - username = input(f"Username (default: '{USERNAME}'): ") or USERNAME - password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD - inject_events(ip, port, index, username, password, data) - - -if __name__ == "__main__": - main() diff --git a/ecs/states-inventory-processes/fields/custom/agent.yml b/ecs/states-inventory-processes/fields/custom/agent.yml deleted file mode 100644 index 9feecf4e2da98..0000000000000 --- a/ecs/states-inventory-processes/fields/custom/agent.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: agent - title: Wazuh Agents - short: Wazuh Inc. custom fields. - type: group - group: 2 - fields: - - name: groups - type: keyword - level: custom - description: > - List of groups the agent belong to. diff --git a/ecs/states-inventory-processes/fields/custom/host.yml b/ecs/states-inventory-processes/fields/custom/host.yml deleted file mode 100644 index a0356d13da657..0000000000000 --- a/ecs/states-inventory-processes/fields/custom/host.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: host - reusable: - top_level: true - expected: - - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/states-inventory-processes/fields/custom/os.yml b/ecs/states-inventory-processes/fields/custom/os.yml deleted file mode 100644 index 952c2d6e93a40..0000000000000 --- a/ecs/states-inventory-processes/fields/custom/os.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: os - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-processes/fields/custom/risk.yml b/ecs/states-inventory-processes/fields/custom/risk.yml deleted file mode 100644 index 1c06213bc6205..0000000000000 --- a/ecs/states-inventory-processes/fields/custom/risk.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: risk - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-processes/fields/mapping-settings.json b/ecs/states-inventory-processes/fields/mapping-settings.json deleted file mode 100644 index 0ad2b48fcc1be..0000000000000 --- a/ecs/states-inventory-processes/fields/mapping-settings.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "dynamic": "strict", - "date_detection": false -} \ No newline at end of file diff --git a/ecs/states-inventory-processes/fields/subset.yml b/ecs/states-inventory-processes/fields/subset.yml deleted file mode 100644 index 6a391603f2b6f..0000000000000 --- a/ecs/states-inventory-processes/fields/subset.yml +++ /dev/null @@ -1,52 +0,0 @@ ---- -name: wazuh-states-inventory-processes -fields: - base: - fields: - "@timestamp": {} - tags: [] - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - process: - fields: - pid: {} - name: "" - parent: - fields: - pid: {} - command_line: "" - args: "" - user: - fields: - id: "" - real_user: - fields: - id: "" - saved_user: - fields: - id: "" - group: - fields: - id: "" - real_group: - fields: - id: "" - saved_group: - fields: - id: "" - start: {} - thread: - fields: - id: "" - tty: - fields: - char_device: - fields: - major: "" diff --git a/ecs/states-inventory-processes/fields/template-settings-legacy.json b/ecs/states-inventory-processes/fields/template-settings-legacy.json deleted file mode 100644 index 0c5363d2feeb7..0000000000000 --- a/ecs/states-inventory-processes/fields/template-settings-legacy.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "index_patterns": ["wazuh-states-inventory-processes*"], - "order": 1, - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "process.name", - "process.pid", - "process.command_line" - ] - } - } -} diff --git a/ecs/states-inventory-processes/fields/template-settings.json b/ecs/states-inventory-processes/fields/template-settings.json deleted file mode 100644 index 15c0bc58c58ba..0000000000000 --- a/ecs/states-inventory-processes/fields/template-settings.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "index_patterns": ["wazuh-states-inventory-processes*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "process.name", - "process.pid", - "process.command_line" - ] - } - } - } -} diff --git a/ecs/states-inventory-system/event-generator/event_generator.py b/ecs/states-inventory-system/event-generator/event_generator.py deleted file mode 100644 index aa3eeba2ecb66..0000000000000 --- a/ecs/states-inventory-system/event-generator/event_generator.py +++ /dev/null @@ -1,197 +0,0 @@ -#!/bin/python3 - -import datetime -import json -import logging -import random -import requests -import urllib3 - -# Constants and Configuration -LOG_FILE = 'generate_data.log' -GENERATED_DATA_FILE = 'generatedData.json' -DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" -# Default values -INDEX_NAME = "wazuh-states-inventory-system" -USERNAME = "admin" -PASSWORD = "admin" -IP = "127.0.0.1" -PORT = "9200" - -# Configure logging -logging.basicConfig(filename=LOG_FILE, level=logging.INFO) - -# Suppress warnings -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - - -def generate_random_date(): - start_date = datetime.datetime.now() - end_date = start_date - datetime.timedelta(days=10) - random_date = start_date + (end_date - start_date) * random.random() - return random_date.strftime(DATE_FORMAT) - - -def generate_random_agent(): - agent = { - 'id': f'agent{random.randint(0, 99)}', - 'name': f'Agent{random.randint(0, 99)}', - 'type': random.choice(['filebeat', 'windows', 'linux', 'macos']), - 'version': f'v{random.randint(0, 9)}-stable', - 'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'], - 'host': generate_random_host(False) - } - return agent - - -def generate_random_host(is_root_level=False): - if is_root_level: - host = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'hostname': f'host{random.randint(0, 1000)}', - 'os': { - 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', - 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', - 'name': random.choice(['Linux', 'Windows', 'macOS']), - 'platform': random.choice(['platform1', 'platform2']), - 'type': random.choice(['os_type1', 'os_type2']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - } - } - else: - host = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'boot': { - 'id': f'bootid{random.randint(0, 9999)}' - }, - 'cpu': { - 'usage': random.uniform(0, 100) - }, - 'disk': { - 'read': { - 'bytes': random.randint(1000, 1000000) - }, - 'write': { - 'bytes': random.randint(1000, 1000000) - } - }, - 'domain': f'domain{random.randint(0, 1000)}', - 'geo': generate_random_geo(), - 'hostname': f'host{random.randint(0, 1000)}', - 'id': f'id{random.randint(0, 1000)}', - 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', - 'name': f'host{random.randint(0, 1000)}', - 'network': { - 'egress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - }, - 'ingress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - } - }, - 'os': { - 'family': random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']), - 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', - 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', - 'name': random.choice(['Linux', 'Windows', 'macOS']), - 'platform': random.choice(['platform1', 'platform2']), - 'type': random.choice(['os_type1', 'os_type2']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - }, - 'pid_ns_ino': f'pid_ns{random.randint(0, 9999)}', - 'risk': { - 'calculated_level': random.choice(['low', 'medium', 'high']), - 'calculated_score': random.uniform(0, 10), - 'calculated_score_norm': random.uniform(0, 1), - 'static_level': random.choice(['low', 'medium', 'high']), - 'static_score': random.uniform(0, 10), - 'static_score_norm': random.uniform(0, 1) - }, - 'type': random.choice(['type1', 'type2']), - 'uptime': random.randint(1000, 1000000) - } - return host - - -def generate_random_geo(): - geo = { - 'city_name': 'CityName', - 'continent_code': 'NA', - 'continent_name': 'North America', - 'country_iso_code': 'US', - 'country_name': 'United States', - 'location': { - 'lat': round(random.uniform(-90, 90), 6), - 'lon': round(random.uniform(-180, 180), 6) - }, - 'name': f'location{random.randint(0, 999)}', - 'postal_code': f'{random.randint(10000, 99999)}', - 'region_iso_code': 'US-CA', - 'region_name': 'California', - 'timezone': 'America/Los_Angeles' - } - return geo - - -def generate_random_data(number): - data = [] - for _ in range(number): - event_data = { - '@timestamp': generate_random_date(), - 'agent': generate_random_agent(), - 'host': generate_random_host(True) - } - data.append(event_data) - return data - - -def inject_events(ip, port, index, username, password, data): - url = f'https://{ip}:{port}/{index}/_doc' - session = requests.Session() - session.auth = (username, password) - session.verify = False - headers = {'Content-Type': 'application/json'} - - try: - for event_data in data: - response = session.post(url, json=event_data, headers=headers) - if response.status_code != 201: - logging.error(f'Error: {response.status_code}') - logging.error(response.text) - break - logging.info('Data injection completed successfully.') - except Exception as e: - logging.error(f'Error: {str(e)}') - - -def main(): - try: - number = int(input("How many events do you want to generate? ")) - except ValueError: - logging.error("Invalid input. Please enter a valid number.") - return - - logging.info(f"Generating {number} events...") - data = generate_random_data(number) - - with open(GENERATED_DATA_FILE, 'a') as outfile: - for event_data in data: - json.dump(event_data, outfile) - outfile.write('\n') - - logging.info('Data generation completed.') - - inject = input("Do you want to inject the generated data into your indexer? (y/n) ").strip().lower() - if inject == 'y': - ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP - port = input(f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT - index = input(f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME - username = input(f"Username (default: '{USERNAME}'): ") or USERNAME - password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD - inject_events(ip, port, index, username, password, data) - -if __name__ == "__main__": - main() diff --git a/ecs/states-inventory-system/fields/custom/agent.yml b/ecs/states-inventory-system/fields/custom/agent.yml deleted file mode 100644 index 9feecf4e2da98..0000000000000 --- a/ecs/states-inventory-system/fields/custom/agent.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: agent - title: Wazuh Agents - short: Wazuh Inc. custom fields. - type: group - group: 2 - fields: - - name: groups - type: keyword - level: custom - description: > - List of groups the agent belong to. diff --git a/ecs/states-inventory-system/fields/custom/host.yml b/ecs/states-inventory-system/fields/custom/host.yml deleted file mode 100644 index a0356d13da657..0000000000000 --- a/ecs/states-inventory-system/fields/custom/host.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: host - reusable: - top_level: true - expected: - - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/states-inventory-system/fields/custom/os.yml b/ecs/states-inventory-system/fields/custom/os.yml deleted file mode 100644 index 952c2d6e93a40..0000000000000 --- a/ecs/states-inventory-system/fields/custom/os.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: os - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-system/fields/custom/risk.yml b/ecs/states-inventory-system/fields/custom/risk.yml deleted file mode 100644 index 1c06213bc6205..0000000000000 --- a/ecs/states-inventory-system/fields/custom/risk.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: risk - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-inventory-system/fields/mapping-settings.json b/ecs/states-inventory-system/fields/mapping-settings.json deleted file mode 100644 index 0ad2b48fcc1be..0000000000000 --- a/ecs/states-inventory-system/fields/mapping-settings.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "dynamic": "strict", - "date_detection": false -} \ No newline at end of file diff --git a/ecs/states-inventory-system/fields/subset.yml b/ecs/states-inventory-system/fields/subset.yml deleted file mode 100644 index c31262f1c8970..0000000000000 --- a/ecs/states-inventory-system/fields/subset.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -name: wazuh-states-inventory-system -fields: - base: - fields: - tags: [] - "@timestamp": {} - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - host: - fields: "*" diff --git a/ecs/states-inventory-system/fields/template-settings-legacy.json b/ecs/states-inventory-system/fields/template-settings-legacy.json deleted file mode 100644 index 2d12dcaac3ce6..0000000000000 --- a/ecs/states-inventory-system/fields/template-settings-legacy.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "index_patterns": ["wazuh-states-inventory-system*"], - "order": 1, - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "host.name", - "host.os.type", - "host.os.version" - ] - } - } -} diff --git a/ecs/states-inventory-system/fields/template-settings.json b/ecs/states-inventory-system/fields/template-settings.json deleted file mode 100644 index 62249c19e72ea..0000000000000 --- a/ecs/states-inventory-system/fields/template-settings.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "index_patterns": ["wazuh-states-inventory-system*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "host.name", - "host.os.type", - "host.os.version" - ] - } - } - } -} diff --git a/ecs/states-vulnerabilities/event-generator/event_generator.py b/ecs/states-vulnerabilities/event-generator/event_generator.py deleted file mode 100644 index 8170cc443dd6a..0000000000000 --- a/ecs/states-vulnerabilities/event-generator/event_generator.py +++ /dev/null @@ -1,233 +0,0 @@ -#!/bin/python3 - -import datetime -import json -import logging -import random -import requests -import urllib3 - -# Constants and Configuration -LOG_FILE = 'generate_data.log' -GENERATED_DATA_FILE = 'generatedData.json' -DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" -# Default values -INDEX_NAME = "wazuh-states-vulnerabilities" -USERNAME = "admin" -PASSWORD = "admin" -IP = "127.0.0.1" -PORT = "9200" - -# Configure logging -logging.basicConfig(filename=LOG_FILE, level=logging.INFO) - -# Suppress warnings -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - - -def generate_random_date(): - start_date = datetime.datetime.now() - end_date = start_date - datetime.timedelta(days=10) - random_date = start_date + (end_date - start_date) * random.random() - return random_date.strftime(DATE_FORMAT) - - -def generate_random_agent(): - agent = { - 'id': f'agent{random.randint(0, 99)}', - 'name': f'Agent{random.randint(0, 99)}', - 'type': random.choice(['filebeat', 'windows', 'linux', 'macos']), - 'version': f'v{random.randint(0, 9)}-stable', - 'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'], - 'host': generate_random_host() - } - return agent - - -def generate_random_host(): - host = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'boot': { - 'id': f'bootid{random.randint(0, 9999)}' - }, - 'cpu': { - 'usage': random.uniform(0, 100) - }, - 'disk': { - 'read': { - 'bytes': random.randint(1000, 1000000) - }, - 'write': { - 'bytes': random.randint(1000, 1000000) - } - }, - 'domain': f'domain{random.randint(0, 1000)}', - 'geo': generate_random_geo(), - 'hostname': f'host{random.randint(0, 1000)}', - 'id': f'id{random.randint(0, 1000)}', - 'ip': f'{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}', - 'mac': f'{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}:{random.randint(0, 255):02x}', - 'name': f'host{random.randint(0, 1000)}', - 'network': { - 'egress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - }, - 'ingress': { - 'bytes': random.randint(1000, 1000000), - 'packets': random.randint(100, 10000) - } - }, - 'os': { - 'family': random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']), - 'full': f'{random.choice(["debian", "ubuntu", "macos", "ios", "android", "RHEL"])} {random.randint(0, 99)}.{random.randint(0, 99)}', - 'kernel': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}', - 'name': random.choice(['Linux', 'Windows', 'macOS']), - 'platform': random.choice(['platform1', 'platform2']), - 'type': random.choice(['os_type1', 'os_type2']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - }, - 'pid_ns_ino': f'pid_ns{random.randint(0, 9999)}', - 'risk': { - 'calculated_level': random.choice(['low', 'medium', 'high']), - 'calculated_score': random.uniform(0, 10), - 'calculated_score_norm': random.uniform(0, 1), - 'static_level': random.choice(['low', 'medium', 'high']), - 'static_score': random.uniform(0, 10), - 'static_score_norm': random.uniform(0, 1) - }, - 'type': random.choice(['type1', 'type2']), - 'uptime': random.randint(1000, 1000000) - } - return host - - -def generate_random_geo(): - geo = { - 'city_name': 'CityName', - 'continent_code': 'NA', - 'continent_name': 'North America', - 'country_iso_code': 'US', - 'country_name': 'United States', - 'location': { - 'lat': round(random.uniform(-90, 90), 6), - 'lon': round(random.uniform(-180, 180), 6) - }, - 'name': f'location{random.randint(0, 999)}', - 'postal_code': f'{random.randint(10000, 99999)}', - 'region_iso_code': 'US-CA', - 'region_name': 'California', - 'timezone': 'America/Los_Angeles' - } - return geo - - -def generate_random_package(): - package = { - 'architecture': random.choice(['x86_64', 'arm64']), - 'build_version': f'build{random.randint(0, 9999)}', - 'checksum': f'checksum{random.randint(0, 9999)}', - 'description': f'description{random.randint(0, 9999)}', - 'install_scope': random.choice(['system', 'user']), - 'installed': generate_random_date(), - 'license': random.choice(['GPL', 'MIT', 'Apache']), - 'name': f'package{random.randint(0, 9999)}', - 'path': f'/path/to/package{random.randint(0, 9999)}', - 'reference': f'reference{random.randint(0, 9999)}', - 'size': random.randint(1000, 100000), - 'type': random.choice(['deb', 'rpm']), - 'version': f'{random.randint(0, 9)}.{random.randint(0, 9)}.{random.randint(0, 9)}' - } - return package - - -def generate_random_vulnerability(): - vulnerability = { - 'category': random.choice(['security', 'compliance']), - 'classification': f'classification{random.randint(0, 9999)}', - 'description': f'description{random.randint(0, 9999)}', - 'detected_at': generate_random_date(), - 'enumeration': f'enumeration{random.randint(0, 9999)}', - 'id': f'id{random.randint(0, 9999)}', - 'published_at': generate_random_date(), - 'reference': f'reference{random.randint(0, 9999)}', - 'report_id': f'report{random.randint(0, 9999)}', - 'scanner': { - 'source': random.choice(['Nessus', 'OpenVAS']), - 'vendor': random.choice(['Tenable', 'Greenbone']), - 'condition': random.choice(['is', 'is not']) - }, - 'score': { - 'base': random.uniform(0, 10), - 'environmental': random.uniform(0, 10), - 'temporal': random.uniform(0, 10), - 'version': random.choice(['v2', 'v3']) - }, - 'severity': random.choice(['low', 'medium', 'high']), - 'under_evaluation': random.choice([True, False]) - } - return vulnerability - - -def generate_random_data(number): - data = [] - for _ in range(number): - event_data = { - 'agent': generate_random_agent(), - 'host': generate_random_host(), - 'package': generate_random_package(), - 'vulnerability': generate_random_vulnerability() - } - data.append(event_data) - return data - - -def inject_events(ip, port, index, username, password, data): - url = f'https://{ip}:{port}/{index}/_doc' - session = requests.Session() - session.auth = (username, password) - session.verify = False - headers = {'Content-Type': 'application/json'} - - try: - for event_data in data: - response = session.post(url, json=event_data, headers=headers) - if response.status_code != 201: - logging.error(f'Error: {response.status_code}') - logging.error(response.text) - break - logging.info('Data injection completed successfully.') - except Exception as e: - logging.error(f'Error: {str(e)}') - - -def main(): - try: - number = int(input("How many events do you want to generate? ")) - except ValueError: - logging.error("Invalid input. Please enter a valid number.") - return - - logging.info(f"Generating {number} events...") - data = generate_random_data(number) - - with open(GENERATED_DATA_FILE, 'a') as outfile: - for event_data in data: - json.dump(event_data, outfile) - outfile.write('\n') - - logging.info('Data generation completed.') - - inject = input( - "Do you want to inject the generated data into your indexer? (y/n) ").strip().lower() - if inject == 'y': - ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP - port = input(f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT - index = input(f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME - username = input(f"Username (default: '{USERNAME}'): ") or USERNAME - password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD - inject_events(ip, port, index, username, password, data) - - -if __name__ == "__main__": - main() diff --git a/ecs/states-vulnerabilities/fields/custom/agent.yml b/ecs/states-vulnerabilities/fields/custom/agent.yml deleted file mode 100644 index 9feecf4e2da98..0000000000000 --- a/ecs/states-vulnerabilities/fields/custom/agent.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: agent - title: Wazuh Agents - short: Wazuh Inc. custom fields. - type: group - group: 2 - fields: - - name: groups - type: keyword - level: custom - description: > - List of groups the agent belong to. diff --git a/ecs/states-vulnerabilities/fields/custom/host.yml b/ecs/states-vulnerabilities/fields/custom/host.yml deleted file mode 100644 index a0356d13da657..0000000000000 --- a/ecs/states-vulnerabilities/fields/custom/host.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: host - reusable: - top_level: true - expected: - - { at: agent, as: host } \ No newline at end of file diff --git a/ecs/states-vulnerabilities/fields/custom/os.yml b/ecs/states-vulnerabilities/fields/custom/os.yml deleted file mode 100644 index 952c2d6e93a40..0000000000000 --- a/ecs/states-vulnerabilities/fields/custom/os.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: os - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-vulnerabilities/fields/custom/package.yml b/ecs/states-vulnerabilities/fields/custom/package.yml deleted file mode 100644 index 40d04c580f521..0000000000000 --- a/ecs/states-vulnerabilities/fields/custom/package.yml +++ /dev/null @@ -1,15 +0,0 @@ -- name: package - title: Package - group: 2 - short: These fields contain information about an installed software package. - description: > - These fields contain information about an installed software package. - It contains general information about a package, such as name, version or size. - It also contains installation details, such as time or location. - type: group - fields: - - name: size - type: unsigned_long - level: custom - description: > - Package size in bytes. diff --git a/ecs/states-vulnerabilities/fields/custom/risk.yml b/ecs/states-vulnerabilities/fields/custom/risk.yml deleted file mode 100644 index 1c06213bc6205..0000000000000 --- a/ecs/states-vulnerabilities/fields/custom/risk.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- name: risk - reusable: - top_level: false - expected: - - agent.host \ No newline at end of file diff --git a/ecs/states-vulnerabilities/fields/custom/vulnerability.yml b/ecs/states-vulnerabilities/fields/custom/vulnerability.yml deleted file mode 100644 index d6ba31145b2a6..0000000000000 --- a/ecs/states-vulnerabilities/fields/custom/vulnerability.yml +++ /dev/null @@ -1,34 +0,0 @@ -- name: vulnerability - title: Vulnerability - group: 2 - short: Fields to describe the vulnerability relevant to an event. - description: > - The vulnerability fields describe information about a vulnerability that is - relevant to an event. - type: group - fields: - - name: detected_at - type: date - level: custom - description: > - Vulnerability's detection date. - - name: published_at - type: date - level: custom - description: > - Vulnerability's publication date. - - name: under_evaluation - type: boolean - level: custom - description: > - Indicates if the vulnerability is awaiting analysis by the NVD. - - name: scanner.source - type: keyword - level: custom - description: > - The origin of the decision of the scanner (AKA feed used to detect the vulnerability). - - name: scanner.condition - type: keyword - level: custom - description: > - The condition matched by the package that led the scanner to consider it vulnerable. diff --git a/ecs/states-vulnerabilities/fields/custom/wazuh.yml b/ecs/states-vulnerabilities/fields/custom/wazuh.yml deleted file mode 100644 index cbc1a38f016df..0000000000000 --- a/ecs/states-vulnerabilities/fields/custom/wazuh.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- name: wazuh - title: Wazuh - description: > - Wazuh Inc. custom fields - fields: - - name: cluster.name - type: keyword - level: custom - description: > - Wazuh cluster name. - - name: cluster.node - type: keyword - level: custom - description: > - Wazuh cluster node name. - - name: schema.version - type: keyword - level: custom - description: > - Wazuh schema version. diff --git a/ecs/states-vulnerabilities/fields/mapping-settings.json b/ecs/states-vulnerabilities/fields/mapping-settings.json deleted file mode 100644 index 0ad2b48fcc1be..0000000000000 --- a/ecs/states-vulnerabilities/fields/mapping-settings.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "dynamic": "strict", - "date_detection": false -} \ No newline at end of file diff --git a/ecs/states-vulnerabilities/fields/subset.yml b/ecs/states-vulnerabilities/fields/subset.yml deleted file mode 100644 index d0b44d3a712f1..0000000000000 --- a/ecs/states-vulnerabilities/fields/subset.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -name: wazuh-states-vulnerabilities -fields: - base: - fields: - tags: [] - agent: - fields: - groups: {} - id: {} - name: {} - type: {} - version: {} - host: - fields: "*" - package: - fields: "*" - host: - fields: "*" - vulnerability: - fields: "*" - wazuh: - fields: "*" diff --git a/ecs/states-vulnerabilities/fields/template-settings-legacy.json b/ecs/states-vulnerabilities/fields/template-settings-legacy.json deleted file mode 100644 index 17a7bd4f6c785..0000000000000 --- a/ecs/states-vulnerabilities/fields/template-settings-legacy.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "index_patterns": ["wazuh-states-vulnerabilities*"], - "order": 1, - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "host.os.full", - "host.os.version", - "package.name", - "package.version", - "vulnerability.id", - "vulnerability.description", - "vulnerability.severity", - "wazuh.cluster.name" - ] - } - } -} diff --git a/ecs/states-vulnerabilities/fields/template-settings.json b/ecs/states-vulnerabilities/fields/template-settings.json deleted file mode 100644 index 901003b59b17f..0000000000000 --- a/ecs/states-vulnerabilities/fields/template-settings.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "index_patterns": ["wazuh-states-vulnerabilities*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.groups", - "host.os.full", - "host.os.version", - "package.name", - "package.version", - "vulnerability.id", - "vulnerability.description", - "vulnerability.severity", - "wazuh.cluster.name" - ] - } - } - } -} diff --git a/integrations/.gitignore b/integrations/.gitignore deleted file mode 100644 index 49aa039cc7e32..0000000000000 --- a/integrations/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -external -docker/certs -docker/config diff --git a/integrations/README.md b/integrations/README.md deleted file mode 100644 index c530fda5dc716..0000000000000 --- a/integrations/README.md +++ /dev/null @@ -1,33 +0,0 @@ -## Wazuh indexer integrations - -This folder contains integrations with third-party XDR, SIEM and cybersecurity software. -The goal is to transport Wazuh's analysis to the platform that suits your needs. - -### Amazon Security Lake - -Amazon Security Lake automatically centralizes security data from AWS environments, SaaS providers, -on premises, and cloud sources into a purpose-built data lake stored in your account. With Security Lake, -you can get a more complete understanding of your security data across your entire organization. You can -also improve the protection of your workloads, applications, and data. Security Lake has adopted the -Open Cybersecurity Schema Framework (OCSF), an open standard. With OCSF support, the service normalizes -and combines security data from AWS and a broad range of enterprise security data sources. - -Refer to these documents for more information about this integration: - -- [User Guide](./amazon-security-lake/README.md). -- [Developer Guide](./amazon-security-lake/CONTRIBUTING.md). - -### Other integrations - -We host development environments to support the following integrations: - -- [Splunk](./splunk/README.md). -- [Elasticsearch](./elastic/README.md). -- [OpenSearch](./opensearch/README.md). - -**Compatibility matrix** - -| | Wazuh | Logstash | OpenSearch | Elastic | Splunk | -| -------------- | ------ | -------- | ---------- | ------- | ------ | -| v1.0 | 4.8.1 | 8.9.0 | 2.14.0 | 8.14.3 | 9.1.4 | -| Latest version | 4.10.1 | 8.9.0 | 2.18.0 | 8.17.1 | 9.4.0 | diff --git a/integrations/amazon-security-lake/.dockerignore b/integrations/amazon-security-lake/.dockerignore deleted file mode 100644 index 891ff7a135014..0000000000000 --- a/integrations/amazon-security-lake/.dockerignore +++ /dev/null @@ -1,180 +0,0 @@ -wazuh-event.ocsf.json -*.parquet -Dockerfile - -# Created by https://www.toptal.com/developers/gitignore/api/python -# Edit at https://www.toptal.com/developers/gitignore?templates=python - -### Python ### -# Byte-compiled / optimized / DLL files -__pycache__/ -*.py[cod] -*$py.class - -# C extensions -*.so - -# Distribution / packaging -.Python -build/ -develop-eggs/ -dist/ -downloads/ -eggs/ -.eggs/ -lib/ -lib64/ -parts/ -sdist/ -var/ -wheels/ -share/python-wheels/ -*.egg-info/ -.installed.cfg -*.egg -MANIFEST - -# PyInstaller -# Usually these files are written by a python script from a template -# before PyInstaller builds the exe, so as to inject date/other infos into it. -*.manifest -*.spec - -# Installer logs -pip-log.txt -pip-delete-this-directory.txt - -# Unit test / coverage reports -htmlcov/ -.tox/ -.nox/ -.coverage -.coverage.* -.cache -nosetests.xml -coverage.xml -*.cover -*.py,cover -.hypothesis/ -.pytest_cache/ -cover/ - -# Translations -*.mo -*.pot - -# Django stuff: -*.log -local_settings.py -db.sqlite3 -db.sqlite3-journal - -# Flask stuff: -instance/ -.webassets-cache - -# Scrapy stuff: -.scrapy - -# Sphinx documentation -docs/_build/ - -# PyBuilder -.pybuilder/ -target/ - -# Jupyter Notebook -.ipynb_checkpoints - -# IPython -profile_default/ -ipython_config.py - -# pyenv -# For a library or package, you might want to ignore these files since the code is -# intended to run in multiple environments; otherwise, check them in: -# .python-version - -# pipenv -# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. -# However, in case of collaboration, if having platform-specific dependencies or dependencies -# having no cross-platform support, pipenv may install dependencies that don't work, or not -# install all needed dependencies. -#Pipfile.lock - -# poetry -# Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. -# This is especially recommended for binary packages to ensure reproducibility, and is more -# commonly ignored for libraries. -# https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control -#poetry.lock - -# pdm -# Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. -#pdm.lock -# pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it -# in version control. -# https://pdm.fming.dev/#use-with-ide -.pdm.toml - -# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm -__pypackages__/ - -# Celery stuff -celerybeat-schedule -celerybeat.pid - -# SageMath parsed files -*.sage.py - -# Environments -.env -.venv -env/ -venv/ -ENV/ -env.bak/ -venv.bak/ - -# Spyder project settings -.spyderproject -.spyproject - -# Rope project settings -.ropeproject - -# mkdocs documentation -/site - -# mypy -.mypy_cache/ -.dmypy.json -dmypy.json - -# Pyre type checker -.pyre/ - -# pytype static type analyzer -.pytype/ - -# Cython debug symbols -cython_debug/ - -# PyCharm -# JetBrains specific template is maintained in a separate JetBrains.gitignore that can -# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore -# and can be added to the global gitignore or merged into this file. For a more nuclear -# option (not recommended) you can uncomment the following to ignore the entire idea folder. -#.idea/ - -### Python Patch ### -# Poetry local configuration file - https://python-poetry.org/docs/configuration/#local-configuration -poetry.toml - -# ruff -.ruff_cache/ - -# LSP config files -pyrightconfig.json - -# End of https://www.toptal.com/developers/gitignore/api/python \ No newline at end of file diff --git a/integrations/amazon-security-lake/.gitignore b/integrations/amazon-security-lake/.gitignore deleted file mode 100644 index 0740f723d0c79..0000000000000 --- a/integrations/amazon-security-lake/.gitignore +++ /dev/null @@ -1,179 +0,0 @@ -wazuh-event.ocsf.json -*.parquet - -# Created by https://www.toptal.com/developers/gitignore/api/python -# Edit at https://www.toptal.com/developers/gitignore?templates=python - -### Python ### -# Byte-compiled / optimized / DLL files -__pycache__/ -*.py[cod] -*$py.class - -# C extensions -*.so - -# Distribution / packaging -.Python -build/ -develop-eggs/ -dist/ -downloads/ -eggs/ -.eggs/ -lib/ -lib64/ -parts/ -sdist/ -var/ -wheels/ -share/python-wheels/ -*.egg-info/ -.installed.cfg -*.egg -MANIFEST - -# PyInstaller -# Usually these files are written by a python script from a template -# before PyInstaller builds the exe, so as to inject date/other infos into it. -*.manifest -*.spec - -# Installer logs -pip-log.txt -pip-delete-this-directory.txt - -# Unit test / coverage reports -htmlcov/ -.tox/ -.nox/ -.coverage -.coverage.* -.cache -nosetests.xml -coverage.xml -*.cover -*.py,cover -.hypothesis/ -.pytest_cache/ -cover/ - -# Translations -*.mo -*.pot - -# Django stuff: -*.log -local_settings.py -db.sqlite3 -db.sqlite3-journal - -# Flask stuff: -instance/ -.webassets-cache - -# Scrapy stuff: -.scrapy - -# Sphinx documentation -docs/_build/ - -# PyBuilder -.pybuilder/ -target/ - -# Jupyter Notebook -.ipynb_checkpoints - -# IPython -profile_default/ -ipython_config.py - -# pyenv -# For a library or package, you might want to ignore these files since the code is -# intended to run in multiple environments; otherwise, check them in: -# .python-version - -# pipenv -# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. -# However, in case of collaboration, if having platform-specific dependencies or dependencies -# having no cross-platform support, pipenv may install dependencies that don't work, or not -# install all needed dependencies. -#Pipfile.lock - -# poetry -# Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control. -# This is especially recommended for binary packages to ensure reproducibility, and is more -# commonly ignored for libraries. -# https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control -#poetry.lock - -# pdm -# Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control. -#pdm.lock -# pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it -# in version control. -# https://pdm.fming.dev/#use-with-ide -.pdm.toml - -# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm -__pypackages__/ - -# Celery stuff -celerybeat-schedule -celerybeat.pid - -# SageMath parsed files -*.sage.py - -# Environments -.env -.venv -env/ -venv/ -ENV/ -env.bak/ -venv.bak/ - -# Spyder project settings -.spyderproject -.spyproject - -# Rope project settings -.ropeproject - -# mkdocs documentation -/site - -# mypy -.mypy_cache/ -.dmypy.json -dmypy.json - -# Pyre type checker -.pyre/ - -# pytype static type analyzer -.pytype/ - -# Cython debug symbols -cython_debug/ - -# PyCharm -# JetBrains specific template is maintained in a separate JetBrains.gitignore that can -# be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore -# and can be added to the global gitignore or merged into this file. For a more nuclear -# option (not recommended) you can uncomment the following to ignore the entire idea folder. -#.idea/ - -### Python Patch ### -# Poetry local configuration file - https://python-poetry.org/docs/configuration/#local-configuration -poetry.toml - -# ruff -.ruff_cache/ - -# LSP config files -pyrightconfig.json - -# End of https://www.toptal.com/developers/gitignore/api/python \ No newline at end of file diff --git a/integrations/amazon-security-lake/CONTRIBUTING.md b/integrations/amazon-security-lake/CONTRIBUTING.md deleted file mode 100644 index e819fac2f6c7e..0000000000000 --- a/integrations/amazon-security-lake/CONTRIBUTING.md +++ /dev/null @@ -1,61 +0,0 @@ -# Wazuh to Amazon Security Lake Integration Development Guide - -## Deployment guide on Docker - -A demo of the integration can be started using the content of this folder and Docker. Open a terminal in the `wazuh-indexer/integrations` folder and start the environment. - -```console -docker compose -f ./docker/compose.amazon-security-lake.yml up -d -``` - -This Docker Compose project will bring up these services: - -- a _wazuh-indexer_ node -- a _wazuh-dashboard_ node -- a _logstash_ node -- our [events generator](../tools/events-generator/README.md) -- an AWS Lambda Python container. - -| Service | Address | Credentials | -| ------------- | ------------------------ | --------------- | -| Wazuh Indexer | https://localhost:9200 | admin:admin | -| Dashboards | https://localhost:5601 | admin:admin | -| S3 Ninja | http://localhost:9444/ui | | - -On the one hand, the event generator will push events constantly to the indexer, to the `wazuh-alerts-4.x-sample` index by default (refer to the [events generator](../tools/events-generator/README.md) documentation for customization options). On the other hand, Logstash will query for new data and deliver it to output configured in the pipeline `indexer-to-s3`. This pipeline delivers the data to an S3 bucket, from which the data is processed using a Lambda function, to finally be sent to the Amazon Security Lake bucket in Parquet format. - -The pipeline starts automatically, but if you need to start it manually, attach a terminal to the Logstash container and start the integration using the command below: - -```console -/usr/share/logstash/bin/logstash -f /usr/share/logstash/pipeline/indexer-to-s3.conf -``` - -After 5 minutes, the first batch of data will show up in http://localhost:9444/ui/wazuh-aws-security-lake-raw. You'll need to invoke the Lambda function manually, selecting the log file to process. - -```bash -bash amazon-security-lake/invoke-lambda.sh -``` - -Processed data will be uploaded to http://localhost:9444/ui/wazuh-aws-security-lake-parquet. Click on any file to download it, and check it's content using `parquet-tools`. Just make sure of installing the virtual environment first, through [requirements.txt](./requirements.txt). - -```bash -parquet-tools show -``` - -If the `S3_BUCKET_OCSF` variable is set in the container running the AWS Lambda function, intermediate data in OCSF and JSON format will be written to a dedicated bucket. This is enabled by default, writing to the `wazuh-aws-security-lake-ocsf` bucket. Bucket names and additional environment variables can be configured editing the [compose.amazon-security-lake.yml](../docker/compose.amazon-security-lake.yml) file. - -For development or debugging purposes, you may want to enable hot-reload, test or debug on these files, by using the `--config.reload.automatic`, `--config.test_and_exit` or `--debug` flags, respectively. - -For production usage, follow the instructions in our documentation page about this matter. -See [README.md](README.md). The instructions on that section have been based on the following AWS tutorials and documentation. - -- [Tutorial: Using an Amazon S3 trigger to create thumbnail images](https://docs.aws.amazon.com/lambda/latest/dg/with-s3-tutorial.html) -- [Tutorial: Using an Amazon S3 trigger to invoke a Lambda function](https://docs.aws.amazon.com/lambda/latest/dg/with-s3-example.html) -- [Working with .zip file archives for Python Lambda functions](https://docs.aws.amazon.com/lambda/latest/dg/python-package.html) -- [Best practices for working with AWS Lambda functions](https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html) - -## Makefile - -**Docker is required**. - -The [Makefile](./Makefile) in this folder automates the generation of a zip deployment package containing the source code and the required dependencies for the AWS Lambda function. Simply run `make` and it will generate the `wazuh_to_amazon_security_lake.zip` file. The main target runs a Docker container to install the Python3 dependencies locally, and zips the source code and the dependencies together. diff --git a/integrations/amazon-security-lake/Dockerfile b/integrations/amazon-security-lake/Dockerfile deleted file mode 100644 index 2a5420e4bcfef..0000000000000 --- a/integrations/amazon-security-lake/Dockerfile +++ /dev/null @@ -1,17 +0,0 @@ -# docker build --platform linux/amd64 --no-cache -f aws-lambda.dockerfile -t docker-image:test . -# docker run --platform linux/amd64 -p 9000:8080 docker-image:test - -# FROM public.ecr.aws/lambda/python:3.9 -FROM amazon/aws-lambda-python:3.12 - -# Copy requirements.txt -COPY requirements.aws.txt ${LAMBDA_TASK_ROOT} - -# Install the specified packages -RUN pip install -r requirements.aws.txt - -# Copy function code -COPY src ${LAMBDA_TASK_ROOT} - -# Set the CMD to your handler (could also be done as a parameter override outside of the Dockerfile) -CMD [ "lambda_function.lambda_handler" ] diff --git a/integrations/amazon-security-lake/Makefile b/integrations/amazon-security-lake/Makefile deleted file mode 100644 index d93bcbb400e74..0000000000000 --- a/integrations/amazon-security-lake/Makefile +++ /dev/null @@ -1,30 +0,0 @@ - -ZIP_NAME = wazuh_to_amazon_security_lake -TARGET = package -SRC = src - -# Main target -.ONESHELL: -$(ZIP_NAME).zip: $(TARGET) $(SRC)/lambda_function.py $(SRC)/wazuh_ocsf_converter.py - @cd $(TARGET) - @zip -r ../$(ZIP_NAME).zip . - @cd ../$(SRC) - @zip ../$@ lambda_function.py wazuh_ocsf_converter.py - @zip ../$@ models -r - -$(TARGET): - docker run -v `pwd`:/src -w /src \ - python:3.12 \ - pip install \ - --platform manylinux2014_x86_64 \ - --target=$(TARGET) \ - --implementation cp \ - --python-version 3.12 \ - --only-binary=:all: \ - -r requirements.aws.txt - -clean: - @rm -rf $(TARGET) - docker run -v `pwd`:/src -w /src \ - python:3.12 \ - py3clean . \ No newline at end of file diff --git a/integrations/amazon-security-lake/README.md b/integrations/amazon-security-lake/README.md deleted file mode 100644 index 989bbbafc868b..0000000000000 --- a/integrations/amazon-security-lake/README.md +++ /dev/null @@ -1,292 +0,0 @@ -# Wazuh to Amazon Security Lake Integration Guide - -## Table of Contents - -- [Wazuh to Amazon Security Lake Integration Guide](#wazuh-to-amazon-security-lake-integration-guide) - - [Table of Contents](#table-of-contents) - - [Introduction](#introduction) - - [Amazon Security Lake](#amazon-security-lake) - - [Open Cybersecurity Schema Framework](#open-cybersecurity-schema-framework) - - [Wazuh Security Events](#wazuh-security-events) - - [Wazuh Security Events to Amazon Security Lake](#wazuh-security-events-to-amazon-security-lake) - - [Prerequisites](#prerequisites) - - [Integration guide](#integration-guide) - - [Configure Amazon Security Lake](#configure-amazon-security-lake) - - [Create a custom source for Wazuh](#create-a-custom-source-for-wazuh) - - [Create an S3 bucket to store events](#create-an-s3-bucket-to-store-events) - - [Create an AWS Lambda function](#create-an-aws-lambda-function) - - [Validation](#validation) - - [Install and configure Logstash](#install-and-configure-logstash) - - [Configure the Logstash pipeline](#configure-the-logstash-pipeline) - - [Running Logstash](#running-logstash) - - [OCSF Mapping](#ocsf-mapping) - - [Metadata](#metadata) - - [Security events](#security-events) - - [Troubleshooting](#troubleshooting) - - [Support](#support) - -## Introduction - -### Amazon Security Lake - -Amazon Security Lake automatically centralizes security data from AWS environments, SaaS providers, on premises, and cloud sources into a purpose-built data lake stored in your account. With Security Lake, you can get a more complete understanding of your security data across your entire organization. You can also improve the protection of your workloads, applications, and data. Security Lake has adopted the Open Cybersecurity Schema Framework (OCSF), an open standard. With OCSF support, the service normalizes and combines security data from AWS and a broad range of enterprise security data sources. - -### Open Cybersecurity Schema Framework - -The Open Cybersecurity Schema Framework is an open-source project, delivering an extensible framework for developing schemas, along with a vendor-agnostic core security schema. Vendors and other data producers can adopt and extend the schema for their specific domains. Data engineers can map differing schemas to help security teams simplify data ingestion and normalization, so that data scientists and analysts can work with a common language for threat detection and investigation. The goal is to provide an open standard, adopted in any environment, application, or solution, while complementing existing security standards and processes. - -### Wazuh Security Events - -Wazuh uses rules to monitor the events and logs in your network to detect security threats. When the events and logs meet the test criteria that is defined in the rules, an alert is created to show that a security attack or policy breach is suspected. - -**References**: - -- https://documentation.wazuh.com/current/user-manual/ruleset/getting-started.html#github-repository -- https://github.com/wazuh/wazuh/tree/main/ruleset/rules -- https://github.com/wazuh/wazuh/blob/main/extensions/elasticsearch/7.x/wazuh-template.json - -### Wazuh Security Events to Amazon Security Lake - -Wazuh Security Events can be converted to OCSF events and Parquet format, required by Amazon Security Lake, by using an AWS Lambda Python function, a Logstash instance and an AWS S3 bucket. - -A properly configured Logstash instance can send the Wazuh Security events to an AWS S3 bucket, automatically invoking the AWS Lambda function that will transform and send the events to the Amazon Security lake dedicated S3 bucket. - -The diagram below illustrates the process of converting Wazuh Security Events to OCSF events and to Parquet format for Amazon Security Lake: - -![Overview diagram of the Wazuh integration with Amazon Security Lake](./images/asl-overview.jpeg) - -## Prerequisites - -1. Amazon Security Lake is enabled. -2. At least one up and running `wazuh-indexer` instance with populated `wazuh-alerts-4.x-*` indices. -3. A Logstash instance. -4. An S3 bucket to store raw events. -5. An AWS Lambda function, using the Python 3.12 runtime. -6. (Optional) An S3 bucket to store OCSF events, mapped from raw events. - -## Integration guide - -### Configure Amazon Security Lake - -Enable Amazon Security Lake as per the [official instructions](https://docs.aws.amazon.com/security-lake/latest/userguide/what-is-security-lake.html). - -#### Create a custom source for Wazuh - -Follow the [official documentation](https://docs.aws.amazon.com/security-lake/latest/userguide/custom-sources.html) to register Wazuh as a custom source. - -To create the custom source: - -1. From the Amazon Security Lake console, click on _Custom Sources_. -2. Click on the _Create custom source_ button. -3. Enter "Wazuh" as the _Data source name_. -4. Select "Security Finding" as the _OCSF Event class_. -5. For _AWS account with permission to write data_, enter the AWS account ID and External ID of the custom source that will write logs and events to the data lake. -6. For _Service Access_, create and use a new service role or use an existing service role that gives Security Lake permission to invoke AWS Glue. - ![*Custom source* creation form](./images/asl-custom-source-form.jpeg) -7. Choose _Create_. Upon creation, Amazon Security Lake automatically creates an AWS Service Role with permissions to push files into the Security Lake bucket, under the proper prefix named after the custom source name. An AWS Glue Crawler is also created to populate the AWS Glue Data Catalog automatically. - ![*Custom source* after creation](./images/asl-custom-source.jpeg) -8. Finally, collect the S3 bucket details, as these will be needed in the next step. Make sure you have the following information: - - The Amazon Security Lake S3 region. - - The S3 bucket name (e.g, `aws-security-data-lake-us-east-1-AAABBBCCCDDD`). - -### Create an S3 bucket to store events - -Follow the [official documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html) to create an S3 bucket within your organization. Use a descriptive name, for example: `wazuh-aws-security-lake-raw`. - -### Create an AWS Lambda function - -Follow the [official documentation](https://docs.aws.amazon.com/lambda/latest/dg/getting-started.html) to create an AWS Lambda: - -- Select Python 3.12 as the runtime. -- Configure the runtime to have 512 MB of memory and 30 seconds timeout. -- Configure a trigger so every object with `.txt` extension uploaded to the S3 bucket created previously invokes the Lambda. - ![AWS Lambda trigger](./images/asl-lambda-trigger.jpeg) -- Use the [Makefile](./Makefile) to generate the zip package `wazuh_to_amazon_security_lake.zip`, and upload it to the S3 bucket created previously as per [these instructions](https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-package.html#gettingstarted-package-zip). See [CONTRIBUTING](./CONTRIBUTING.md) for details about the Makefile. -- Configure the Lambda with the at least the required _Environment Variables_ below: - - | Environment variable | Required | Value | - | -------------------- | -------- | -------------------------------------------------------------------------------------------------- | - | AWS_BUCKET | True | The name of the Amazon S3 bucket in which Security Lake stores your custom source data | - | SOURCE_LOCATION | True | The _Data source name_ of the _Custom Source_ | - | ACCOUNT_ID | True | Enter the ID that you specified when creating your Amazon Security Lake custom source | - | REGION | True | AWS Region to which the data is written | - | S3_BUCKET_OCSF | False | S3 bucket to which the mapped events are written | - | OCSF_CLASS | False | The OCSF class to map the events into. Can be "SECURITY_FINDING" (default) or "DETECTION_FINDING". | - -### Validation - -To validate that the Lambda function works as it should, add the sample events below to the `sample.txt` file and upload it to the S3 bucket. - -``` -{"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"timestamp":"2024-04-22T14:20:46.976+0000","rule":{"mail":false,"gdpr":["IV_30.1.g"],"groups":["audit","audit_command"],"level":3,"firedtimes":1,"id":"80791","description":"Audit: Command: /usr/sbin/crond"},"location":"","agent":{"id":"004","ip":"47.204.15.21","name":"Ubuntu"},"data":{"audit":{"type":"NORMAL","file":{"name":"/etc/sample/file"},"success":"yes","command":"cron","exe":"/usr/sbin/crond","cwd":"/home/wazuh"}},"predecoder":{},"manager":{"name":"wazuh-manager"},"id":"1580123327.49031","decoder":{},"@version":"1","@timestamp":"2024-04-22T14:20:46.976Z"} -{"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"timestamp":"2024-04-22T14:22:03.034+0000","rule":{"mail":false,"gdpr":["IV_30.1.g"],"groups":["audit","audit_command"],"level":3,"firedtimes":1,"id":"80790","description":"Audit: Command: /usr/sbin/bash"},"location":"","agent":{"id":"007","ip":"24.273.97.14","name":"Debian"},"data":{"audit":{"type":"PATH","file":{"name":"/bin/bash"},"success":"yes","command":"bash","exe":"/usr/sbin/bash","cwd":"/home/wazuh"}},"predecoder":{},"manager":{"name":"wazuh-manager"},"id":"1580123327.49031","decoder":{},"@version":"1","@timestamp":"2024-04-22T14:22:03.034Z"} -{"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"timestamp":"2024-04-22T14:22:08.087+0000","rule":{"id":"1740","mail":false,"description":"Sample alert 1","groups":["ciscat"],"level":9},"location":"","agent":{"id":"006","ip":"207.45.34.78","name":"Windows"},"data":{"cis":{"rule_title":"CIS-CAT 5","timestamp":"2024-04-22T14:22:08.087+0000","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","result":"notchecked","pass":52,"fail":0,"group":"Access, Authentication and Authorization","unknown":61,"score":79,"notchecked":1,"@timestamp":"2024-04-22T14:22:08.087+0000"}},"predecoder":{},"manager":{"name":"wazuh-manager"},"id":"1580123327.49031","decoder":{},"@version":"1","@timestamp":"2024-04-22T14:22:08.087Z"} -``` - -A successful execution of the Lambda function will map these events into the OCSF Security Finding Class and write them to the Amazon Security Lake S3 bucket in Paquet format, properly partitioned based on the Custom Source name, Account ID, AWS Region and date, as described in the [official documentation](https://docs.aws.amazon.com/security-lake/latest/userguide/custom-sources.html#custom-sources-best-practices). - -### Install and configure Logstash - -Install Logstash on a dedicated server or on the server hosting the `wazuh-indexer`. Logstash forwards the data from the `wazuh-indexer` to the [AWS S3 bucket created previously](#create-an-s3-bucket-to-store-events). - -1. Follow the [official documentation](https://www.elastic.co/guide/en/logstash/current/installing-logstash.html) to install Logstash. -2. Install the [logstash-input-opensearch](https://github.com/opensearch-project/logstash-input-opensearch) plugin and the [logstash-output-s3](https://www.elastic.co/guide/en/logstash/8.13/plugins-outputs-s3.html) plugin (this one is installed by default in most cases). - - ```console - sudo /usr/share/logstash/bin/logstash-plugin install logstash-input-opensearch - ``` - -3. Copy the `wazuh-indexer` root certificate on the Logstash server, to any folder of your choice (e.g, `/usr/share/logstash/root-ca.pem`). -4. Give the `logstash` user the required permissions to read the certificate. - - ```console - sudo chmod -R 755 /root-ca.pem - ``` - -#### Configure the Logstash pipeline - -A [Logstash pipeline](https://www.elastic.co/guide/en/logstash/current/configuration.html) allows Logstash to use plugins to read the data from the `wazuh-indexer`and send them to an AWS S3 bucket. - -The Logstash pipeline requires access to the following secrets: - -- `wazuh-indexer` credentials: `INDEXER_USERNAME` and `INDEXER_PASSWORD`. -- AWS credentials for the account with permissions to write to the S3 bucket: `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. -- AWS S3 bucket details: `AWS_REGION` and `S3_BUCKET` (bucket name). - -1. Use the [Logstash keystore](https://www.elastic.co/guide/en/logstash/current/keystore.html) to securely store these values. - - -2. Create the configuration file `indexer-to-s3.conf` in the `/etc/logstash/conf.d/` folder: - - ```console - sudo touch /etc/logstash/conf.d/indexer-to-s3.conf - ``` - -3. Add the following configuration to the `indexer-to-s3.conf` file. - - ```console - input { - opensearch { - hosts => [":9200"] - user => "${INDEXER_USERNAME}" - password => "${INDEXER_PASSWORD}" - ssl => true - ca_file => "/root-ca.pem" - index => "wazuh-alerts-4.x-*" - query => '{ - "query": { - "range": { - "@timestamp": { - "gt": "now-5m" - } - } - } - }' - schedule => "*/5 * * * *" - } - } - - output { - stdout { - id => "output.stdout" - codec => json_lines - } - s3 { - id => "output.s3" - access_key_id => "${AWS_ACCESS_KEY_ID}" - secret_access_key => "${AWS_SECRET_ACCESS_KEY}" - region => "${AWS_REGION}" - bucket => "${S3_BUCKET}" - codec => "json_lines" - retry_count => 0 - validate_credentials_on_root_bucket => false - prefix => "%{+YYYY}%{+MM}%{+dd}" - server_side_encryption => true - server_side_encryption_algorithm => "AES256" - additional_settings => { - "force_path_style" => true - } - time_file => 5 - } - } - ``` - -#### Running Logstash - -1. Once you have everything set, run Logstash from the CLI with your configuration: - - ```console - sudo systemctl stop logstash - sudo -E /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/indexer-to-s3.conf --path.settings /etc/logstash --config.test_and_exit - ``` - -2. After confirming that the configuration loads correctly without errors, run Logstash as a service. - - ```console - sudo systemctl enable logstash - sudo systemctl start logstash - ``` - -## OCSF Mapping - -The integration maps Wazuh Security Events to the **OCSF v1.1.0** [Security Finding (2001)](https://schema.ocsf.io/classes/security_finding) Class. -The tables below represent how the Wazuh Security Events are mapped into the OCSF Security Finding Class. - -> **NOTE**: This does not reflect any transformations or evaluations of the data. Some data evaluation and transformation will be necessary for a correct representation in OCSF that matches all requirements. - -### Metadata - -| **OCSF Key** | **OCSF Value Type** | **Value** | -| ---------------------------- | ------------------- | ------------------ | -| category_uid | Integer | 2 | -| category_name | String | "Findings" | -| class_uid | Integer | 2001 | -| class_name | String | "Security Finding" | -| type_uid | Long | 200101 | -| metadata.product.name | String | "Wazuh" | -| metadata.product.vendor_name | String | "Wazuh, Inc." | -| metadata.product.version | String | "4.9.1" | -| metadata.product.lang | String | "en" | -| metadata.log_name | String | "Security events" | -| metadata.log_provider | String | "Wazuh" | - -#### Security events - -| **OCSF Key** | **OCSF Value Type** | **Wazuh Event Value** | -| ---------------------- | ------------------- | -------------------------------------- | -| activity_id | Integer | 1 | -| time | Timestamp | timestamp | -| message | String | rule.description | -| count | Integer | rule.firedtimes | -| finding.uid | String | id | -| finding.title | String | rule.description | -| finding.types | String Array | input.type | -| analytic.category | String | rule.groups | -| analytic.name | String | decoder.name | -| analytic.type | String | "Rule" | -| analytic.type_id | Integer | 1 | -| analytic.uid | String | rule.id | -| risk_score | Integer | rule.level | -| attacks.tactic.name | String | rule.mitre.tactic | -| attacks.technique.name | String | rule.mitre.technique | -| attacks.technique.uid | String | rule.mitre.id | -| attacks.version | String | "v13.1" | -| nist | String Array | rule.nist_800_53 | -| severity_id | Integer | convert(rule.level) | -| status_id | Integer | 99 | -| resources.name | String | agent.name | -| resources.uid | String | agent.id | -| data_sources | String Array | ['_index', 'location', 'manager.name'] | -| raw_data | String | full_log | - -## Troubleshooting - -| **Issue** | **Resolution** | -| --------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| The Wazuh alert data is available in the Amazon Security Lake S3 bucket, but the Glue Crawler fails to parse the data into the Security Lake. | This issue typically occurs when the custom source that is created for the integration is using the wrong event class. Make sure you create the custom source with the Security Finding event class. | - -## Support - -The integration guide is an open source project and not a Wazuh product. As such, it carries no formal support, expressed, or implied. If you encounter any issues while deploying the integration guide, you can create an issue on our GitHub repository for bugs, enhancements, or other requests. - -Amazon Security Lake is an AWS product. As such, any questions or problems you experience with this service should be handled through a support ticket with AWS Support. diff --git a/integrations/amazon-security-lake/images/asl-custom-source-form.jpeg b/integrations/amazon-security-lake/images/asl-custom-source-form.jpeg deleted file mode 100644 index c14d960f7370d3bb976765d3931e5c5e5c0c25ae..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 59572 zcmeFZ1yEewwl3O8aDuys#wECG2p%j1hXBE)akmZ-Bm~#s?yilyySoGr?ryjLfA6|` z|NB&(d)}$K=hdsX7d5FKYc-2C=J@8EV|-)G^)mnR3xFvnB`XDhfdK$upg(|@C4d9~ z2>}5S;S~}hA|f&}5(*kFIvOe}8WA=Q1}+&f1vwcpDJdn8m5%ZaGc_qGJud?@8#@;l z7X=-^Fdv5yD<>DnA2)$PMn*+^bjc@X&92L$3qiv0hR=Hypl5xbLDe zD?5;>IX|A_eQ}sT!3T1!)13XG+Mk;J*A(;nZ)x_w75j%?ivTn@7^v~!umGZfqqcP! zH`QlPOZ}TC@NJUlU!=<dMm(#hb?$kY7C>*=&}v)x@7r-qrtWuTlI}^kDfD%Kz@Vf9}hFciq2H2VHmmJz)Pn_5FLU`}Z>O$1=gH zB8eMgSbgJ^HNBHf5 z9&O@AI<{Lxcf#54Sr2XVM(5oHy7;55i(JabZJty1C6P6Mx$Ea9a1z21_~3s2_;)!+ z`UY(|!8b3hVwT#7^z41w*%djFS+V^F`zGM8v~Oy~YlLoDU;UL|>*uoaJGiO)!$a4|&xjlW?(Ko=XD(3M19I?^ca1 zr>D?G9w$$0Z+?aCJYJ*4Y(lA(`B@=4?O5}$ zEagS00ZPYd`eWP+fCStCb(b?fYB#y-+P+^ivmL+GE}Ofy@QFuvg6pi7VdqGjTXl=7nU-(-3On+4LJ&#EPpj)oyamnkg^m47aR(+D{2x zJD9;Cac)KeXoM749Z;kdDn9z_^|Xt{wjC~<9_c2 zP*uy}`wCY@>=mv$&iICic3HcRMAv@)m|lD0!TUe|-0-CF9{rR#kYL zHS1#x?#5fLuIuRR!3zMeT=!aNlZecs^45=_RzBOzCH`ENSdzNPm-ZS3iKIGQd*8X@P?y50d~pS64{KQ*(mMjlXpWAj$8CG4-7LfHu=n2 zU(4}>sLrWSW1Wv{|)toFnWQb(~D6 zxhyR2Fu)TkWJ&vI=W3!Q_9$YcI`F0?2LwLw^f3*y2}p`SNKTdiIce5H`JCKH2dO{DuJb?*DDjl-eP*tqe1rqrtD zbcwbgnQ0SFarPw>hc&ksK*jTBDEZX{)bN@&1d9Q^rQCtZ*XGY-#6pwHOngITD7aYj z&Lgs{5cCq>Jg2C%Zo1U%f-Zc(V}mgNiN@iU+0h$I6-|f;<&tedOKDv9nvn*AQjDQ9 zX}BgYh4_(N(jES6pn}Lz*>3RAwOc1X3VZy+EnHN%ZibUhO#xQMmpx}gbO0J(@8!u_q)1h;z zr$y4ntEgYm2*O4QHtR0{uV_(i8e~bmj4+vj1rBY-v_b=C5^5A(d0Tpevmp|L;@62} zeU(KXJmoagQxF1(XRF0#}zfxknp zRz^j&0rOc6^UX@vVK$44s9K*#tyDylYmAM3%6{y2#;sY&h?&RXF!keaIpwN| zSn1S-j_XaL98SxSowq`oLwVxvX8Fr;@lIhM3fKmfR00q7PG(D&Z}UcHjY#WmjD|j0 z%uAtkG-WuZVN7uycJ6HB1vqas32N!d@O%f5y znsL-{1{>el7Ylb^pOEgL9{i8<%lhsb3|1JAwN8XS_5sk5IlmF}jGascUnOhniW?;p z)yyFUS9WopVn+CAvEbVv`DOVwX>?{+I&eFQB%qE86I(A(3c(%swpkqQrr3fkbuR(M zM?tL~buxe%S2t%=5 zV(OtGsVlB>jVoeNWw(V7!VDKl7kSi1;Zco|otc2ARv#4+zX>+En5djL#J9Yr4O`Dr z;BD|uWo1hP0j~?f3=KAq52$Rp%sap(RynlcQoy(Q@9MTu}hi^?2oIiXzPEQn_a7esV2R*!8(F zMczvw&`K0Ufo==2p5o`x7yW>1*92n2wq^pJSr4UaqfUdq#6E06!=p zA8Ip8pBl_qc9WgH!T6pBd}i-E&~{R7!t)EE&tdx)P{D?m<7bMb0tJlEbe0=XXd-bc zWw(5nH}hKzM}8Gsc_NX>#+5qjd@&BcYOv6KI$?VOVA?#VwlEcC{qQ9vcU{m1;d>xt;&RBKo#c|*f7>}MPI89YI@ z&-z>BUGf&UcXxNyq5kR5JE22*1EUh6~DhnHn72JEJ-Hw$z%Qq!rUY`8|(y zFTTf?Mt!fYt_6c8e)MMZcuqy~by1^*b?MZj|NP(xZ&T~owo3&~03&2Ha?kf;m0p%k+e->Ip(tn^v3 z((?7^clWK3sWYe-mwvjjHz72!sJ}U-et0cL+9L@;18UsU_>cj=~1 z{MxB#f9EIn^77qhGb+1#n$=9<;ng>jYQ`Zlm8e;QOlV$5&BuK@mezyz^9QGBXu*Nx~ELU72xsciBH_bghZ+L$t^f?2EPun`~n!> zENiPMKgmzq?G}&;*Gzju=@ho0X|xO4brH1V&r^7caVOom=<%?QsX>MRNZsoTFj$~= zUzUXv3QsMr$x14>(#g-iLmqEA0eORmHz9i*y23quAx;A{(QdS$vJg=xC4jB4<3V4G z)`LxC!p+B?4FzWHmDH*B^K5LF06`tMUNJK9vaArrD)1zf{-Y{laejmz3q4w_-wkbn zYzM7mJE9D_UHBUf6bDH5ZN5hbdWb>UwLx-Ni~8d3gi+zQNaxcrsYNh?Vq+g>OL6nH zMs)5UgA_yjl_2GJvCgK`ul&*3sjU(WGIOlq5sN)Hr(OUvA0{r{oPL<9nZ|FZwt5CV zOhO8;uSJ$#ZG=8;m2m$Oy1Q>x|_v8wXZsO*B zitR>PsZaY96E(`76sV8nUN?K1T#x&Hbhywwi)R@yI=o3uN^X@8ogK!O+)R#4E29NZ zZg1)yn2QYi<2cjxW1pQG=>k6-jw?$n=fk9&;h9>~pW3(Jpe zn+uLnNP@K~m##zY9Q!D=GtJhuN@;2hi}1t82Mr|vcdq`^yD2z&EVzM=aGmJaRsjzl zIg=x#gA+R6!iWUO68nVj3RxdnSeC0}3OS@*Dt~lqN}tHxsHP`~hB-N@)@$w_3$fAa zY!i6Cn(0=>SlKllwx3JcEH&5MOaIa`&FXdZ0I+J`sK2H=)Ifj|2`f%V;o z(~*!{7j52(Tg9UOG{6E#*r18=nU47|Ox~)?Cwo>q7IGy(&`I1kFkufx>6g+E^k{I8 z5&48zsAVRH3f!ZGw=}F*Wr*n6A%L4F;r-ofu89LqeVxyDD$7R?@6j#XGOqRnkLW6;<#RQ3tVRkwogF9HAl_J8OT zm{Y5XMO$ua{GfgLi_JRvef+rzzlVEo(HD~z5mfe^q7CJ z395RtTxKpPMI2h;0NnixB|@g#;ti36b>y8WuADmF1pD5e4}EkfGDq!?W3?nT{<)(Y z7}(|-yl)oQw5M`YQjoG6rL6A_NM}KtaZfD!ENoJA2!yRh!C+%7?9^ z6@M)l_@zGs&-N``%p6gn?TWR9Wz-&4e{^q^)c)@-#z6<9Yp(rYA{4rAfm5AzyaG*o zsF^+aK>?-RX>I^m)ZOiehEc(3muH5vyxLsZa`St|=p=Qb^}u6UkqH4-cM>19(bq6V z(c2&wT7jG~iL9z--ZF^|B@8XgQz;|)*kzS)xkx)H&tLwUs|;tL}oGI&+ZK5&<__W67pae zj!)kc1hZa=0wl^6NSU0jBlzEc#IZw!gO3Rpwh+egZYv+hFJ*lJ%h=*{UvX>b8l0wdX4Yg_VVH$#UTW63G3JA08?jDNz=od%(CLY7r6 zitmsG=l8J9b6nrY5pD80tHT%GT;|V3xUnh`4Q;I9a%YZ1o?2eL08)3cqM{y3T-rrF z7aLnNdXi?=Ld;H20<5if8f!vjU7fuSseT9(pbl{9*ovN0fT`=UprH_kTlL4}ZpT}z zZgrmP#uB@`Gg-^+%rud2W$uJGHMlQkn`3UP;ZF93_ic*%FTr#!5h zbpk2ABb36#As61Ly&@cEEV;wPK4H1y-bRAr&cZWYcY=K;l0!abcul`-aaY~qN1uh| zCYeAIN{v=l0pFs(g>MSoKYuzz)KGIKlbVyA%5Q5;7_9Y0?SGI5k=FxaZq+bwZ$s8P zSIHY@$}s!i0Dy9K#twD_7iFkDyw3vZ?H)PzbqU$Iq1QPzb{{s}aBn~h>V0Sx#1$w@@A4;ba-iof}De7wq@ zOQTQ%h}84fUaXX>!r$pv)3z?*At4)&!W&`s&03;?UeabpWcy3rMGS{T zp*D#fgf`;PH11w)ssa}X`$jdICyK?;Lhh}4`zXB!li$pIi=;g{#jFshq|2y?JJ0ti z&b9WjekWl}X3T5Tg3=}bK!kZ_`%M1Us`HvBfnfYSZDW0l3uY&V*t>Jt{=I`co+Ouj z`_7*<2(oS)UjQn}J$qa{gIpGAg5Durb}+$f@w><2 zKa0|E&qPCoR88_M8S*UD@124OI0mRsA`z%U<&c-AZolW$K8j*`_=x(hO?(F1LXm!( z_I&e6Xw<3=Xlbd5g1X(Y}v#WaXG&eYl)WqbbVY2R;|nW|aKyPPvo%-WmpXvt`*D!p-Y62L zcN;s-W-GlOwi%h}xs6tD3g4^isPXzsfU|+LbupB?l=WnvENI* z+FOm{mop%PU3_Dr0aQsW8+<}bv4NxK&UL}^z^JUFMOC+6P2;FuVax5hLR(iCmS3;8 zmP&h15yndtC*}$}L<2M`rU+ynbWfN*R7n#uR$`02M{OsfS9ama=%c8kHaL5V&fS#s@CC)>**#b^zJu#rs6Z7RzsC zZeb6)kwpV38`GZY(?MOy@iHBRl!>nq96v`$(quud3WW8>&?kt8$I3pb}lr;@8jT-l=1} zr-6{%+n9E%bshQd2zg05;#{_H1>frqw}bmW3eHhyM8NKOeA2f4QQ}O3Zo0-kL?Y|@ zU4{-VO$XFLcv}vE$%(Y1~T{~04jw7X&U&2?&nB0 z`VzV*u$@lum8^so<+W;ayCX9lVFsvz$r>n1J=Ab{Pjs!UNd4Us5J+vI5bn%ACbOmp-(lNM!A zOoN9l7V_uM+fYB7tG6N4{Ct$QzOb0$3cmHtMe^#SOwEYfo6SB2%{1PwuFiEp7Q@y8 zLtooW{^Acrc*Y{KL*nnF*z)MXQ`Crw;<<5GVmN(nGh7!XcPksywkXY;ejBf&vL*Qa z(=H(+MnPfNy&K{NYZJJnN5Dd$vk$0Ih$9oc&!$%AC#`y~QK0g%1`=Jd3b~lR(8G5* zi|BzrV+m{C%bwRFaXU5%%}+a2T0u-f?>oOKe8zbJ^tF9&JLDF}Wv<fF9gPZreNgoGOXDIQv{ivbvkN2N69@dQ`5O zyPT&Z=1H(T`%(CXo-V42E#q8zF^>0?3_m1SK?D_ffGb7p&~ z+|>DB0KsW|;?%O7ve^*^;wi46bd`yviO9vXCU{Qi zDXuUU>2FbGgSWKg+jeT!)o}mfvsmJmiB%6G7ZHUTjS&psVDG1 zyt$%;GbCX#Gb7;97f8hT>B=p~8ylc3u&9Cjlm)KKf#_h7_D4-W5d$~EqcLHNdGsQt z$OP3H>Z<51z5ZvLjO&m>Qi&lIYJj*k>^uOykMxo@CqZR8yIO`W?Od>PvdUfFMlV~} zYb>V1NXT~}cXEBUPeamv(R*g5x0pQZ=3^p>Oo$_F(JKd66Q5)IG&la;GQQ$fvX+^* zpBc(NM1Z*KW1P}tQ0_=6-zhHR+%#;Yww1R%27nKap?q$3RzuJ%t0?4X67@$yUG!0D zsVm!?fL~^%Ck*{ zl}W*;*HOjck+$&zW=<8DL?40-e9yr%jn-}>Y$vRQP|ekF46fy7;y?bp4jMM)byn_j z*ougSnf6d8SUi4fHfd|~)`8@s^8>vkEK8R797(nBsFKgL^Xmjb0j9wE8JiQ9lP~f^ z)gX~%?rvLVJOA@d5|^z2%BTypd$k`&QoBl%U*z?q&UJ#VTPNlE5LQ|s@o=G`hVD>r zdhJ;pI$uM(v@)xzR@Qb+-cKH%iK(i_m&cYNG&1>F_sRQ!=qfq6ekXeAla*U(iTb*> zOpMb}Jfa;n0KHz&e&Ap-W*onX%o%S$p?nox^wZDbiV;ExJC)j?ts2mQe=Du#AWU8* zoJDF&A0%@Ukj3zwr@N$|HzqWim;Cl>L{M<)e(%}Po7LG#<88spzROMgy>so#@Zq>n zs|Pd5iZ1}J$?}(33fg6v-=GC;&9|`%-8)Ou_Xh7OiKs(Za=ZE~B^~0Ea`zrck9BDO+lMZER?9I+A~w7<@%GdFNHP`OuE#+iMZw>}^t@gt}a`ENA^I{$NNywgNOV zMJ9#dwgWY1&P4xcWqZUz9Xn zL(X3Qn~l03`XlRt*)At|;~^?7F8J-E$h{gsm=w>;oJ$SjnfV1yDO$`#Ou0c#+Vy(h z>CLIAyQzb)s=5Zx7BZ^o9Ss2^NNN?20Vlcu5F2|K5Nww&0qrHjf(?r z@)Py9k9tfPCY_Do=5{+!$AZdheHXnkGV|xK(2usWM?khhRouOWj6!EfkQAwWI3FB3 zip=(6<)>CXSDEPhb4?ojsdz~&%q2a6Us&;kqZovnxH`56xn1{<*3LEEN&MvRWwDYt zgVYS$JD&+-2w)%nfx7NQbfh-CmsZ9&tsr!l3?Cf z^MvKmi3?5JD|>15^7nW1uNy;ppJ#&I%#PM9>z5$5Nk;mdE=ToCVGU#CaZw0`g#&hV z3a&!d+%Pci*wnOL$X;X(A9m{>&Fkt=_Z%zoB)J^(ZgXS_XdFV3`uV6&squz-3N5k6 zUZ>3+Ve!Uv+BDa!sv)S^NiC<`yA;;^NMvrNaCIia8A4r=$tUH<=07@+{ar?8?Np;d z%1vg$qBeXUyyIyQBUgcwU`I&*PHGt|^x{NedaF5B$$~YPhox4~Sj$C<#LC*nN7qh? z)Z0;U5egRl9j4S&yulZMx#hVPj)cvHOgseZz4-Y%0nFUQ0jhHcnML+K32kk7NP^4x zir#0g%)EH6h%W_VRUF~|z+Wmh+1$oSeD4yC-!FF%IKspW18(x?P%4zJc_~}!Z0o|%XzR}4)hLCI77ZR)Ts?YNyR`#~`p0?NBoOps| z%EzE4&9fVU&0I>sL8dX2X<(90syYJSOtuxh@K1Qu`$SR3$+n8xiL&PvF8sN=2_z#m z*Y4RRF_j7@{$HE^V;(NYOxJ=aOa$FAI7WEU62LKc%FsS6m?ZY0O&~@i(!pv~NiAv{ zYnQZEPK8sv4A2#6k})e#a@S$2Q2%pav{eX=@9yc;pw6D=9xt%(k zAy1Zbv1|w!1`)ECD~ddGKKJ0S_2buF2v$e{#No-saXA^OObv>%fiYiS*(b%`)Lm=T z#ppfdQRf5q$$=y!K1hV55oJEL88$YyiWOrXM&a`VD2qjTgzoOk-C@hS)bLJOa&t%r zMp@FbMq1P+P6jAdDSjAs7Bj=<9IN8?xr+mCrheXnBUnGD-A!Cz{17~N9V}Rl+lbRj zm`SX@XRK|1!^Sk@G%Mw2(9fVxo)gjkVw z(!bowMEH-LS>$CBuZWaMl513n`$8EE1PYJ(p#DRWOCtACiVHOHHu9=B+a6Wt&I&@3 z%RkDQQeGxp2q#F)6ydKmEiz`}G}o!#5@KovW)b^ZgiqK$1`lvGE0xDhVBz^LynSbu zwyLGAO8hqN=k#MUG!M6Xo^K$~$P@vRQ1=_U+tUtM8V-`@Nt7quR~9$6euX}~KU z{-_pQ?yP0Qd}w2nG?Ho>Ijm0W4$Fq}n&azwmHpo0517dwF2`<~!1vKSzx&($Z$rEt z;xm`lYm#YA46PVezdHJ@W?W^mz9l%UV<>K>kEgJ>SfQpFwTB#UT87sXZ8=JV58Cb! zZ4V%Ksd{(;thsK_IFK2Q8&#yu`nY#~D0aGzQ`;k^I#x+xBXbMgzld^qRoEmq=Foko z8dS#glVa4{B3TqWL$*L^=i6Sw!XpQ=+>?SQ=aKHlok~N{X+Y>%S4~0S_-NsNQBF|OIyp8pcjl*jtxop%z8k-tsVSOoGcB?BsCXG{yOcvfz@a1SGCNuYd?yqD z4Cot+6x%v`r$2YKkG^yd-EBo(kk#-c#jo_^az|$%OTSv~9sLI$A`bqK?k8*E>}oYF z>i1fgg}E&_VG_d^EOqpl1~?sXLRd9hX)OhEzlo+NByqp~;qEs;3r0Bd^3ibi64-US zfa5~OLiT=IK^3ICd%89GpPHslC?%&^owm%89zM`AY$?0|TEy6L11F|KQ=($@a&ck0 zP|f^QoXzs}dUAUTB$(}3nh=z+{HyxH+Kt26=TlUVF6XAX3DH;6`D36%Jq)b?NrRCi;|g#+iny&*1S(o!?C-Tk+QmQQ;d%e(Ta!`&l-(ib3!F<7-0J{=r5aU38r`Lc;RvEKc`U0@l zLhV1&+Lkq@QuTUWBumu0!JgtWYOxRBrC3QI^;=8lDI>L4pTRX|ioe%lj)x~9^VLcT z&NqI29=0W=f-$*bk&II-6>ZE`3GD$v9%KWxSo>S{Bek+e35@xi_yLGK>3DX|ga9U4 z=Pnw|Z$%762G;bsNKT0dp1vd6%|rE7Ps~4Vk1asD$rWYc;l(~es?IZ!vv#0HrA+a( z9u6kt0W|ed1jt>-Pr5f9ZP;@8({3U92$;>`apMAd0)cVcniIw`B=hvIDyQgL z#JHBQoNNN(D(dO%69)CR?sthsw6nf4cI9d6GzsDJOmM;y=E&vv&+(C+GKwC8=(Fgq zP15?$vAhC0p#khBw?_!TZ)0%w80OVT4d*+y_YP7-QUZ1s(R+0`!SCzTCy~H2h~JeG zo=-@9@GL_B#XQMI_M++Bam`gnOFKexBM~2>CUYNH8p1V)v8-cb-W(D-cti_M*C@ZD zow)3+lQ*3zMQt~A9KnT2%rlQ~G=IA- zK{Mb^azw6-5$G^K_L(!h7IetGU4tL3Eq2|N!$Qb#XN3191n_lX@u$(ZrFUO~1H*XG z3#8v6TC1?6mUODH)Nmkw#kLJ4`{jfQp}j6OUYXs_)IPF_>t&6IHVzJ4c9Xn-+3WinM_YObxr0!X_`jhmB*nb8$99ks^IjSC}N6UKhD z3Go(~$Ozr0W@Atj=_17YVrAv|!_k%tYXF&$y%FJ~NKi<82%x~JMQDk;va*in(3R`6 z+!5V$s8L0(0O-36=7J9H*B!j`1gvzm&4|uY6*1f?*{Q4xp%#%Dq4vQCLzQ}7Ww%}7 zJ(J1HyPLaN{3=_3$nB?NxI72`K1+xs;2j7wQois3i^RLhtJL3An0*Sjzvh4tHrTp! z6J=@6SdMMJR|-+rUfnzcWpeLYwR=L|%ob?^>sP5|%T-A#Vl$gB?N5t>d+{!fFem zzFb-eplH!FZAy|;bBV|hAhkoY{M88n)h9oM@RvfAR8*PlVhCV>pYBX(>URdp+QO`e zr_!|`n0sDOcAIs_a6BeFD_)00HanglWDrFInq-nfa%>+U8-qJ9##M$#H8HRAn*bT& zcljcPS|6mP3QR|!eUyn7G9M$NAuOPAV6*eISIYXzR2q;Zjca8A2*+Q;4(`Qj5j%7j ziqN*&tK(QHU5-~Db7-M8kA)_WeT}%G1H?!IM=rX?+*s^ggGwA?8HV+*Pn>(R8gIny z&1~r-{WfIcAXroUq#Gp@VtC=HU#2A3s~{YmfbYZd4S?UcQ0;=99+=GHepN%h=e__m zKT_sC*OSgbL6qX5n2ZY|_3$pDMlUHw`6}h;$9|wHYXRa--dXB?w)__30M{aAhf%O~ zcA}~xhWQk|bT|aMc54o3*Q`U&CJlX^@=0_-+rIh1aO%isCUw;{y6NJeiKsYM8ICrP zDOj5*TlS58ptN#FP$ojQm7qFDeBHN1WoasU5oa>o`*0=lE9iiNk9Vos9j*&FPt#id zy6u?SretZIF*+qqnn8(%$81aq%F{rVZ#KK5`?8Q=P+L&MQK8vXQ<|Fk) z3HKK0{moZj4f!b}ZV!}O3MPc#atx`4g6_KRT>B~R*Z0!vqw^5hpO<|fKGDfeDYPw& zrdt{=Qw*JJ*!*I9%^tc@rXq%?uTU8c{C-%P#06$o?#^LyUPj;(xuUG8QYxZ$f)1)>IvAxmIjOFy-w;$V7^kjn8zpu{Xzke4}N=Wr7 z6cf=vny?TGCidTrpV;MbwM~+w>0#e%;v)8a2z68vP*0hK(lz*bNTXZ9olT$aeM3>8 zqeYq&vj^bEmo4*^dPoh%{<5e~W{Mc;mw$%B0}>4K)5Ot{>Vy~;OKBt0yADiDG|6uiO@w_zdwryz5M`&d ziKsv#<2}?TPHbhfwjbFCZlH#Px3Wdi`Qa4E{f%{kP?>=I=Uzxzl2lS;GeiC&^G5&~ zJR{y$en6<>05`Pu4?156mxfhV)Ux3(e_<X&d;>uR2)QNFmE)D1q49%ihNlP5% zR4>RtGOMX;a7)`*WzeQwA&P>-70DJx=V3zSV+Ga+P9p8bob*S19l4^8QU6DN_|N<; z3S(YA-twZ}usTO@SrW$^#|fQU$BKP3x!NR}@H1#y$DWz@BC&Tal6DK!7v9oGor|gm z^V_*bgSuo*PtQ``iZDQX?vpQ-=||}iENh6+x#ySMgwHcZA)1SVcGq(X=p&Ol&6P!m zXr3qN;d>#j7TK)zGE+u153#wv}(cR3#Q9Y{>@plTRZWYw2)YPU?(u&}MrG|!IZ z)l@Re4elF-@(@Og_a6f~t_oiO>(n#RqZY)gJhsd34%|88eF>2a5^eF6q{kF-Jhc@u zle>D724IVQ^~G+UgfS2el^hiJ3d0|-CEnp|G2a2Uw2wb;=*YEgED^@ zyEBA_exldvdCHVf;vP_DzS!r!Nq{+6Zi~%4htzzO0{bJ~JD=|bV5|XM%p5UqJ)Saa zs_UZ{Kqc8xZ=yMRww41Beu<%eb?@L8iNm=Ct2I=!E6&Oc<<&-8yHKVlpgA;SB%I!q zRfV`7Jb|@+r9V{&gh$vLlTyo)k9QlxEuD@SkL4b?a<1qRfk3;_tMs2FI9~v$@wUn4 zOp!AEM0k@bG6I_0o8#O_rN)foM9-@U!4X2?Y(?1?F0ZOPb`fhu6bRJnXR;d7%oq8N z8O9ppTxju*}%Gm{gF&CnoEeC8-*L20*60oI2ChPX47jt7HScZ5P#_*J@1C4@wyFaop zf5t5T-Qu_ZiNE_Zp5p%%zJnO3{K1B;ogI-vrN3nRbSJiMYUwF4m6hkN6gYakq^PkA ztmxSD@3EW^Bho(&+moUVU1CRnGdyhS-P7IV80DPSn8s*tgZ zavVmIb@qAhv4=$GA^!pw5c~1S_Bef5rM9gR%r1uf?~DKLg#QU7aBH#wU4TAszT!hG zX#QUNl+d=&sJ3#Gu;ZOZ8)JHC(>}^M$|QpBzS$VR_6ZU=-Uqr)JzI7!tmfmV`Q(4= zsNtNX36;^H|ja}i2xA`)dN7`ac#PawR8 z5qz ze%L%K(Mc6hV5geiwPKS0X`^pEZgN5f4LA7Z~A*t1)A_pu zjewboK9o;b@dLk%_)BymUhhM$L3l$8)IA2*cJ3d#`9W=*CO-O&d_)Jc+lP84dKTtra#=I_I9ND*Fq}bect32 z5et{Dq@`4>j_nK*g}Wv!=A1T#qZ-)93>06oXJmyi{B_6ke_WUUxc;B6&B6?`ZD)HJ zPmcQA3jg$33>!*@{kJQs|0foefBhefIik>AYX{I*^Zb@7ossc@zVK;I`UNl^29Sl) zd2jyMbl4ffSVEi{Fw?cPw5FpV;C;Ipry9bZ#Xz{pEbV2iVWevt(ac$BCAuJx7d-v~u-xM%_hKKmi}nvK6mCQjC_dD%FLW() zdn-B39f5ZMUc#@)!i=A_z{zCs4;M4+KM0vh=+(9s7zs~g)CDHQD|kiY>3t`JPwnF$ zMKrKVo&`OcY+@iD2&iYSKY%#2sPwBhu1qd;`GEGFp|7u$6eqkioHvdr)Te7uJ{73jTg4{#Le^;hq9P8GUukE#V;yfx#;Tm{xAHCDlSwQrru5PlN2dnnqm8Xe-rF{7WC_V}ti z_w(=^pe4e)ngsTJAB8iULtl!0)QOgZn^pJXb9VW`VtgEay1hvFy?1Gd9YOB?Ab>Ap&^q+?XgY&7O&n&Esk)tt@>)pMF-!by`~S{=}GY0X5F_=!Wa)C2cr=J(*lud(Nv+| zsd{z71;X!ZP82&&;;`c%b-dL;FLcxIalvsb{xEsjWOYD+DQ8R&;Z*sQ3`QeTVwv8g zc(P1wX4(*aeVZ-SHpzACECaf9o-%psKsDd~v>7Q&CIBZ3dU64m`a%m!%8D-=AW$D% zRDu{iuOsRiEc5c;WjEyN8CU$v1Gv0gD7iivwEao@(U`5 znQup*FjM5zBgO_381+_rP)`W;2fFK#DVWrmcwb!PuCaA2!Fyf5(Ui(5t@%hq9?6`bfNnYdluFBq#0%GZF=QlcAsW!y27R^1DMBl- z5!?mt5PAXhfU$72en=Bz&VmdJ?C={70W<{v>hqCn7=|1jvbHG zufVWtJsYW}Terqm*8;Iw#!SWB`LQy0anqQDX7f`M=1pw_;0}WFgq;__FA@%~cMTNS zQa@fN7U){^PH4L0cl@m8>u%_On#Itctj)U($k#r=oY&h+8mV#AeTo+xI2_bzPHczy zJ}?SR^CVshd&=Dg8I|rO32C^z&674{{&J*xIBy_(*I)oRnr&!mL%Lm4Zh;7dm5xkT zSnfH@u@u3fz9R{X#0hA>rx0^gpmA!0^5sLyuGQe#wH?dbAT77d+pl%nt!1o->)*b) zB9k>xM*xeB&D!A3O8c8_t+Mw7&{M7#)A9>f_RdDXRDTvSelPAqSrC+~k1aaqILhHAOHt#%uHObR=;1?BuWn*%on?1WR_=C(>{t z8JG&>ed!jt1&_A_VUJ3?_uvj;#YKB(EA;koneGBoU~z2%H6L~5b)jY8_g7bS0Y(V< zd};T5cxJIqW^geYd$nd6@deO@LgN3`T~&n`E8zRzFMxZjV&{(((31Wu=qnH}sl~9N zUIEe{Q5h$1H@lv~`ic}2%bJC!E7sAzqM+v-9(isyou3Wm1i|5AH$H!)B&swA7Q{yf zaCK8IomH2wCazTmVK4k&?7d}FUD>uZy0PGp5Fj`tXmAbg!9s9%g2TpLf+j$MOK^90 z*|-IFcXubalebcJzjmt5yEj$moO|xOuYL7nwYK(NI_H`)W*>d@Au;$y;+n|9rbseZ zGQTk!LS9u~=XXVT1h^_HA#Ioee_<8tRw7NqxT*Dj&E#W#I7w}Zm38|rJX z>`w=B8&seu1f3|fBGFo&&aZ`llLJ+g&gRJCA07xfv{{{Ejx`&+OTF?W5auycdK-lT zqCQDL`s$l=mK94+Yy#wGG;YRE-3TpjW*Ycya<#Pr#oTJzL+da5LKmLF`n42?|!x{5iUwMg&58(UWxrR95c{P!vRhYyqq#d&TQ zsFrfMOT>>w4UrAhs>N`0VW{;97)ZvMbQbzj7rT>5R8ya}$yTkGGcF$r)3@~1gU;4+ zT+eo?Zu%|0T|88y=K~~?XP#Y~hF7-Ri&w6_%UNw!Z&z3PniVEOb@X=v#?u2f6XYXJ zc0X$BMLGds0T%hMYBfI;Ykt3BmGE!)-`jr&&8Wx8{FV&)OK>2}XcG84h$sv&s@NVB z$A0$TmGc|5O;pKmDA1;Y*!|I{t@`W($h`ht2o)p7#jDus~1;^sj-0h4+q| zU^*DtI*5Cuh~;6hm$d*H0TFeOHc5CDE^Tn7!Pm!jbr$7)Czky-2iJbigRaAm&asAO zuA+)9_BX+9?=|NOLBe(oT~U;q*P=N3aGvTRdmZ6(6{33Htsu^1@WwsGR0OOn}J!Mk14j2;RJCxn=yCsd)rKkj0C)`r{5*BXYXHfD-oi z-|oNq{YT$4dipykUHGee$HUVdaaYC3l;bV1941ddXc=xU=;^pq4ufCOnt)zIL&&o9X;F&<^CN2*G({gYcv$5LOih%$O14@z z&q}jr5nafn*KZZTb%}l)np=DyktY7Zc>13&Fr(OV?py#awdT~dB4w78DKKnXd;S=; zq1Z50_>0ZBD%Ce*vUY4|gr;nUNP8S$`hpV}K`PSqp>_g;J^`C&-$5AKk~#CZXL-d| z2lR`h&V_Hn)C4Tn`VHH{1Y0?`2*$CSm?CAT&gL}e=yx^n=U&yY=&?}==bs>d@a=)s zOQ zURqsyVs1-sIoOJ6KyiXT(44jhAv%Mq5U~X;=EP|+Q{Ik_kPP!YGpiSB83LBiar!85 zZc0!qPdEx(V*>W=Ym3w4k#oTI5XUDZ7Hy_TR0JosocAmuUJL1^8OO|ho`eym>VcZ( zDm4OSz?fHnf!Xb}miW|n-exxD?XgsLfg9$N*@gC)Ck@dR{Q;ykN+cMudTt+1p~7sb zO7Xv_@a8%Ikn)&3xd1MzGsTTSq4#;n zem;&`HyIkflO78M_ecOAQ-#55&6$26?1Sh8@j>?i_@s?zA;sB_5(f}_0A1vy;Hy?8 zHFi`*-A^T0PBCCI6<_JgE5)6(SPSC7Mt<-zfyqkG@Nqu0SWU)Wz|1AYae_6#i|{MN z_x-zB{J)wB{>T284Si7e{1tf7$$tXa@-n{~psDZxp!AE)$yj*6qEa2*_S%j!S1oYU&~?W#+3n^YvaSd$wKBtzvMVYEirLftxwymq#Hi z)Q8q?-ih&F<7sxR?C%BbIicqeNx?GAbW4nyTz7NMtps7#W>trgxo>BE>r7XgmUtA% zN5c6>S`ZjT?V@IFDxVCQIgYCg@AA!ny*$RyP?BZ2yOth~rsj%X$2Y~1`LT{$;I>6m zQ_2evO0x{B@USk(Y8Ew5Bl@y=R=Z~mNM$oiEE{v;?t~6zm5m&cd=OTFAWcr$^|1Fh zQL6&O&Dtn>m;7f!Hiy$or_vbB?X=*``4~v#zYOGody%6GE)hV?5!t@r= zOzP`#Ig#gorp^43<&a(Z9TdvJzZd@1$A;Kw%xQ?Q@W{XERO{D;o7>Kz+`LFN!s_yF z*psveUu`97NjTYB(Y-Fy>x-HvI}eFB zzM=*p>~&uhnYtV&+TV}%E_b$*=pw*+2PJ-E88VBeGiuXQGNNu(i!%rg%hj~( z))OB`hC7$N0WIu4RV(GFVuVtF~l$l^hV-ny%ox6)K!3weyQ{wWi?Npmp77m24nWCOPwUyMXK9bEm9n}x7RH-z!i;n5fLOQCgZ z_hYH*W4OfX=&`rz6iF}#NP~}`dZ~K*!d`NuWuHA%5#GewI=^t6lb}22)jz;DCu*C> zsD2U~UcHg9$vwBBa~Q&9Coi$Q*H>$4+%$<{x`pjk>6n1^8Y7Mae`s-#>v(Fmj=NE4 zvCC=}C7|d|h|*B!@)In>S^xtZJ{ZGiWtwF@Kht~*Ca=xMn%7m%sitV`=An|saQHB? z{i&HF`*BN*1fEtaU2`lMVj|Y_7}HkLnu~l7f^X*91a+wB7k0vUn4cr1RSy|u#J;fq zFaU!ti^R|8lus8vKTZo0-7OrTKc8nzHRd_X=KoZfk<926ON1RWpt=xnV3En}+ug-U ziPM3!6KbzG&O>u?Rdw|+S8=N<%CceHJDuk4VZJt-+p}!N-Y%>Jp2jKKUC47|91Ei7 zX=ZntKLeq-O^NUofnlxoKpaFKy(w zZFJuu2k?WEJpnh>jO;6wTOJdgohIW8`L`*%Wt-O@h??p7@%pU%!x0JtWZv;y9P`jx zRc_P-k7Uv_W_c^aeHwH*q$%PG&V{fOSsi|Cl0L{eI-ChfSzP0#=41=R$z-Yw86=D} zdwu9c1seo%g{E54*}EA>mVHeE2_eCRl}&wdK!9S+jcyiE@l3OVe7+myxxUE^3=7}g zG8}U9Lb*p2t?R(YTs2A#MAF307B7F)R>Dv-tNtgh0h#etUt$oU-$*t=r_fbLs958d z1+66-v&s~xX=t)y^tOpm<3C|inzydiWn?)tRi)QT&y^^gZX2U5m%#OvtiIB+OYfhH z;UHUsN!wFAd@lmmFvaBZ6dMxHkr+FT9-G_EZEaJZ<1r3Q-p1cS7Sk@!RK)~m>ZE~cI1z}rEAGu`XHa<}N-^?Pev|lq;qjbh8!je; zI;5mff|Mby3TPz;5J_{xccfSZozrlBLeZU2d>=Qx=tmUs)yGERl8Tw|UynVSo=+ut zIyN34SE$D7&EAVsd>Tt&uI-{H);D~=Z{)=wr&Pp-3_f@eW_lUix@JH^_iN{BlO>YiPR#ODK^Q6MR`%XpFMG*2r#2TTPrraFYIPaJ(%oLkwi9;(vR zB8NO*70@LmP7W6`iqWtRSNaB41fg)P;q%@MGtsjeCh9=F8mg?cjFmYzWD2&$$CmLuSTgoC)W06`9Ex>bPX%nLqqFb&?n#OZPv$JETonU>2 z^LSTz;_jw&M5+Nu9{Z(y2YE37vDUdKY|S?afVq4H{T+1Y>P0eX|FqyO!4O_3O<#N1 zb%M*_#<~S>#Q@$y(Oe(ufDiW|sk1mzVZ8>S6W3Z8C+-biN;jaPu>Cv-z*2$b{P8YN zu+@VPp63Io8L+{#M!)Xaejy@?r&=|ve;v<+Os_YOHS&t!gc*S{1ig{rj`R{i@~cN6 zS$KCOi(n0V>|AW_Jk!C{aY6D=3;*iykgQP73OTJ_LZr>bM08cG9d)9g-uW3QMq(*lET@Y-dSsvGxz-YM zsd;#KV)zj6E{ztpxRuB_M3OAoAc9e~+DA)K*VZPuxk&Q&U*_)~APYzJ{?)~Cn_eTd z$!k81N;S>S!iL~^ADrWGK+pp9(fP98!78V%S3jQl?}hG$c(?M zWugq48E1EMtB<>rgS9A$RhSXRpAj3-gYVSzq z_su5s_l+tK#V9lbmHZ9EOq|e1<&bHy=P$*gMRn1#6GNt952(W3649eFF; z5siwgv$`!2$2E@>LqwpK&GK2-g=dEh*~V%!n}CX>Sd5=)>qYT`>FAqk z3oBOZ0W(|w-d^22`By$1t!v3In||7Eh=f@@SFk917F_VJ-K4db$gskiyPe+G4x(#E z@jMVkSae&anRpDJ7TV4o5%byNSbo(_{Lsm}yA%%0-NV8%-$5-vT9mbM7rdo=SXQ7f zLU}&$3iwH6RG381+V&wbrkBLgk~eL43ZNjRyg!yL{_vtk;l1`kW`L>ET3>ytEZY7z zv|$~a5Yc~uq^$#!lj>n{;&aR8uq{I0l)jisi^-QCtyEl8Ow|vTB)D3DFN(Wra*T2RzZ%T zc$=|eR0~=&5U1nTTpZ1%Zq7bU;<3-3S?_C6w@ zwYcN)lA!ZyYiDGeUJjFY#kku~mKEgtDa*E3*m>0}R@;qX5r?oANy?3;CWr>{ zWm&vr@>%gv5e>fPvBr10dsLqKtuyc4Dt>hZ#D5=qvVvEnB zpAfeakEpRLy}>oO*Nx@bvpXxvN$9RC=OAx#4hz3SXlBda?yF3S5yKjslcnd6KH48o@m9{{5aHs@+G z3KI&bK}59AfN>cN7?;orcP8IKAN^kgc3~%A7ka;ZV9OE#0lttn;dIYo{U1})m+v4v z{*~t={M$@F481p=!KQKoxXs_fwo}e{GFj!;`TB(C_ijTjFdHXMcGGxy~SU3 z@t?E{c;2EtSE<1dxvh_K3~5JayTiK(cKi1gy+H6}ky@z#rdjsK%>C1umR5>Kd8f%# zo^6nw8^m%o_M)*W=|b2JB{=9n0*XJ&(7EF4$W^3ZboYv}&Z5B9m8Shr**b9%fYqbk z5%NVCPB?Jj(Ny=#w%^OSm0j}p?a8DPZk(SNCm542toNZj395hy%I?HBhLph!=rct< zsjk*HAUWS|!7EwS0D~LROo|VR4_}Z=&x!P>`Y`tLhO%{PQGPl)dnvD4Vo96c7?fI9 z-G1`*Lk*9apf1{ykm>V^VS0vxB6_;iWUYw#T5%QFLtSPuLJq>+hS`ZinjI#%KHKd18s7 z1=?HEBk>lN%~jAmr&bdrJRRiCo4dL7b#E@-%J~q6hA^ZrsSPeNiDAcZj@Yrkjj2_m z!yA}<)k8w17rPf^7f`Z_ul8d6$grur4jkuzY-iz68QadO6UhrT=$suj3*;DzEy)^^ zPp?Tr8U*X$X>+O0OQ3X$MI3HE3SQ&Hk-h$!ci`ROIKlgrra_ZctO8`YtwkC!7^8;AAZmgQxS91QyUs9#}49GFLv=wo*hZDdSkjvta?X|C>4w&HH#84^oUw+~s4hETw0PML) zA-`Vk8HXZHI&!_T!6|W4N5T)ruoF=e_FH3~l@SjUg|A|6W#iszh$%F4bgc^$Rm7S?!~kjdJkFSFf%`Zqf;Hlh`uUreo;p*@$RYq+WB!y* zNJ|jF;GQf<6=+pWrew_yA9cQ0;|vusfJttw>7ZzV+|+V$YAgC3Lh zJ?kM^BP@t%oYD_$Rey~g!z|)}_K7?|X*{!9he>oa{}V#gL`;+=yzBYROS)$ZS2}mS zO%NbURrnUAqWv-Eu|#1UWu12~4|`}5|0QmJ^mmY*2}#(!tw2#T^itMD@H{e$W>rH# zi9KY<39~(yETfrp!4*bJ3-eG47%l!^i97y`aKOLyoZmVX3(kf3uK_Ddi}*W8h!u20 zmG1ovAl*HZpJW(}%h1-LhBtX(ti+256Eyi&9vZ@bgLU$ z$LFHkPcHyc?xH<9X1?6`8Ob*hgRd(E_R+7BFD`aD!q-A*{FRlI@x{AkyFxfALRO{+ z13LrBD^CJV$m|0+IT}07V-6LZ zF*w@ba2;Y7E;W}Lb@PSpPL6J+DrB@1Hz!^~pWD(u8pWB+ANdp-UDE?Iris+Bp=K;# z4&G!FVOSeJ94U>TOBZX|HGU#cLaDZ@CjM}96>PDhE#Lg=8&tOv35zMO-aL@7l|6yO!VioFZ}pjf*?x%#=tAT_!@z*s(e|E_OXa(I8UAtkE}qT2;^_ zqK8_@8!NMO75?oq)YxpHLS(%K5_Jy+02=?h9gKNR6HY}kV8XkLGGQys4?U_qdIuz& zi$(XXV}w#>ljg)HEIOW3NzD)bY%u8iea$y$yTq3r00xVfam#%4@S)EC{@Cg}sI!2( zgKJ|mlp}A7Mp2V@EjXx^#mENB(J&vR>yO{68^~pTlXT}&4=jio8^&1; zOj&&2&!_Ogi=7Dlkyn}L@9voU&|eQM9S+j~FByO>ALkeH$XL;xO7C%5i?p>VpedOz`z&_rHOegtrXH=V%bo8w!=marSgIdNt~a3@w$tU>s0Lg-o3T< z51!H9aO~bLQ%A_Wp}2GT%oJrLH~g;Li;>R=dgb)P5MdoYmr5YU=4AiwD-~>(Aw4S= z`hlSQXO5%AON+2DgIpu`9-ixfR#$WX=-th;Qa2QMA~ znrm2P6@W9OY&z)7#CV<&j`JS{dOom;T^KIi!#kkgt}cBC1uMZHyXR~5JSl5B(QDE` zq<74TE-wRl60IWYGDGbRytrx`I9i2B(ro&HD+~#zMNYKkl3EDoN|C}7^+Q;MCYPqp z>+k_rYCRtDfBg{UC`_+`Kd9Eq+*FjMpEc7r0ieI`@tbb@KU5zTcS@_>cQja)6{qvLGQCmS*moV+YivNL z&J1s@3drN&2qLhV4wx@odi)*KT>&VpP9-kgKowE{`>5f+^$#}xcA+QmgZcKv7FYzl z6H#dflmf>N8H`j+mV>%mL1bPmon}eN5Uhc|xgoHPA#=wTT} z?UV(^Aa?=hyN2LHQV0dEH>e(Nmt~BzL*iY5h_j)}402I_^mY+Rzb|)4Qf&wE)cK`9 zFoJdZVo7UhNO{8yKXV@1!Z=8s1+C@SRN)4 z$)}+o(g@hxIM}MHDUZ@Sy_nzs`s<6h#h2F=Ctg@M$6OSd`J*z%y@5HL=>Tb@=LTyJ zN*rYP7$j=4yl9Z8p`xx2aXC91;Nw-0i5WUMI?&l)j;rp^>4PagbiOlzUci!Kvv~D7 zZcMhyz{^Nk?aQa{pvA4w&KyXs&mmm$tjVTt(|&lVA-@n6wE7=pNBQppYE@4)kx@NX zUD9ezva5Wbq(LI&YSrZhr_uOM&d*Z~ZmNoN9PsE9ay4d&UMIVkBoh!@?1eluf@As7 z=+Y$lEBf?l!{+XjWex~=EtNVi-sc}``O_~jGkJ&5WIxOU=4vvR{{wO{|5X4#gpPkJ z1em6L_Cgl$hfr~dvM+*zM`)I630`) z?km-QTV2%t$~_-K(oI+nyr0yjH~*o&rl1Bba# z^Kq^wuez*-!aWWzLDY7Q*Dgcx-ge{qI77`*_{ zD(`+)7Gy~m&zA2XGWL8xIoop}UQyZVVk777c%1*6mJN_`Snl^1dyS@7c>b=Hg#PXu z|Keu)S;0Vm-5}s!uLH-bObu||+Z*@c`}qt%Lb-az%SUmkCXS0lqc6q|To6xrKI(RN z6%d~eBkBC^`~1ESzTAcSy~{wAt0@QTFwou9%F1I*#)?cXuQX23NFJUXM39^f$@{ke z9X|k+KLK{IRPCviyywqVpUb|^g4m06lHdv^5(S3 z+jfo^{T1TZ%zC{VY)L_)s`iv&HV5&0CfR@tw#*3@kZ?_F@Wmp{0lU%|&j4pu4Zme% zcgX8*RO&E6GPI9QgkV|IXP=iff?4_$oX8u}^ptVrJ3h(E5Ev8t+M}XKF~1#2i-J_}GpkxO~Bsz{I=l+_EG&)8C5Emt3j zX*(AsVd~JwXUO5C*g4GATS_m?d1y`Vh0q8E(9-|}WAS%CfhYfINHXBj4<6G0UpB1Y z01|8-zl}QZA_i*b#l|n8Qa#5)6;~=sO0bb&N|^gGwW+C>HU-QRxq`(hN44aV%X z3I@-jrdt+MPbtiV7(r6AHzqHCNo=vBy$T|BZL#*;Tv2`RSaAy0puQ?}??K|xqUf`r z_lc)x#XAzz$S4H1FROHGD*xp2{Rf}?U*HH2sOXHHnHH@yxP`u2W(we-Gfax5XD1LX z6u>2P2TRxTKQ)byPFs~CtlX;)d=@ghjbD?dhK2L#!f!rPcWwH(<9S9#X>-;1envxi zoDn3c@<44cp`W;vDQUJuL?42I@2_lg)4xN%vvs zy&Ivnb|f=RfK%f}Q={Z`Z_Qa?FAMi1!&K7D!Y{#yZUz$j5xEpn%oH@CB`K^?Z&Gxi+=;M8 z+iF;@CKP%1h8Y^7?XstVDf`IY6+6EARdj_~t8Mfr3{svq8`ez8V(hmPs(+-` z@Z016bYKnR08UIVGi4maW8f>dyUmVFq32^Y2|KL%)=k;Ah!nRkhv_2 zIwxs7TLh&_u%FVG^(VWi#@f!FQq9eheYu9wiqx%A?a691y^%x*A4BD7Si4-X^ETQc z0eiNA7{%W~6@j`L{QJfww`yHxk+0(~Bm-HKtUw{%nVkmKC}}aZyEe(D#d|jo%}hGA z!y}q~jlFYAF5$cAu13^0TQ1-yVecZ}fmW=ob8I&AThVgZ8VYE3iR-Itm>!RIO2S`r zuP55WMuw^j|4`(XV@Cz&#PLn7W1vpWeE7__(lviwR*&0Z80(-$TTCR{{8Y@K2&7^y zdGy`@4cTHQ%@uCPshD-z59fn8_hB!3E;zP#9C9(ihP5iPcKjlFL z4h{}pR61K`jRg(zUBQcWI?pHS-o%TZ%XW}H=@*a=oP~i zA&b-qVatw#GOk+meAVn!#jXqo#8EWer+#majx!U0% z8X$?S${fjp=tNZCWXKcrG!%#xK}(BMl4Js*WyY(oGo;of(@8_eOo2ifCE_A+Y);^K z*l}B>YqsLc*k>OWZbJ_U=az3N-Y+rqu6f2Kvs_j*C @)sBs5W;!|zmR5%5`Z-&^ zO=D>Q2ZvXqv!(F)xU^0$cL!B_EAbUan_YnwwuQQPjP z@s5*iP5xRUdSJgp?!b3o+7AaVRnK+s5x4qb#zFJ<)PeLF7gOQ`fI|NJ9bpWeo)gFF ze&YJXgPl`j&a7c$1rb}pbL7q{0XDMGzA6a`HBxQ}d)yFwHnXSt#6;8@81p;m?W;HK zZ!LoSWa>}Wa|T6S*XCGfF^oE}`r}G`r@{){J5KplLm@p(1n(D^5^a(z=fK=R@XXiC zm_^ev7oGn2w*dE=Vt9sMCniUmYxJQRIkYGwJ<`?>IlLywJ6X!s(RxV&wFaCd2pM{u zgktwv!EfP|g}}!qDaQ&1i!Q6Mr(j0P9Y3V?U{&+H0gTZa{|-L~x$TlJBA)l}8fN8l1;iFvx} zRD`hK`Pm~Ol}nkVxoa3Qhl`7B(Yinl-%q=`u`ACg6iE22;_Iu8s~2YGPS!9FihS)# z)5|M6qZe0qXO-#<*iqLj6B1#kbB>5+C<$(El#Bk9L*bvE=>BlR`dIA@3bhM(M29)w zb3Xwf)y+5KMly#b_vb*i_aDr|{*(os+r96gB2j~f-S40!oqIEYZuo!c$>J;_0`SxS z0)6qViyRtmsp+}&(LF%Ma`cY8PiHvt@C&UJxj!17zE}MlFO;YK#f4vd0N#N~LTH(3<`+Y-;9C&yR zzAwAbf8y2t!3X5C%08oeYBE;1A0GDwOAYCL3sEY8(SH=?M^XQY`!W1ly6_E1I4&_t z5Mys&m{?lAqC9f6#boa&1NAIbS}5lXrkkjTmtylT#mr|_K#pnpr3%D;scW-fOt`+K zUykL0nJagGh(vh%{yXf=KkS~ei~y+p&$yg_rf(1W4e>!X`8Ofeval2X(J+gZxSP*2 z?q{Lmo)tb-9Gm&1)E^i*M(&IyQq-{?<4Z&#Xph!|-b3*iI*0h)BML&xB!erFA@TTJ zMOJL@EtuQrqtN8HSpU~luR_~m1EM23=%c6to*-qPQRR?4NnF0f5|dFqV2!E;tJ2N& z$Wr*Dk{S~V%1woALX@dSnebi|>grPA;M^!8=BSC)8z$8q;%k_{Vdh20go=$}KM~_G zJHZan#Rrv+sH1z>SxjJV!?N5SgFVCj5#P^ovgKCqnr_phqCgRx5;0?azZmrQcZK4BCzD z39wLT6jVv(d5l#lFAHSotw7P75&?Sop{$+T!ekHD0f*$u)U_KDyl~(?%M#e|&a%A7 z$XXa^_bykTA?c6_4eQ{AME*V;CHY5>MrJ=!$XD0Zy)z_>fonez5Asz+0Zn&4a#PZQ z^gW71^ig{qu7QXv_taP+Xe-%fwhjuG`Y}QnELkoRpS)}M&iEK!??{_pm9GzKL2PTw z874}Rkxl**)orHex@V;z{26p5HIBt7eAIZvX!R!Lju&5|;`l$FWPPl#cPx_?fIj}| z*sh<(g#9Tuk-=5YgNT&ML!$xUrg zc-!q&F7E%K5-Q3fC&=0*l_#WHEyIU0+7yFh*f41tlrbJTnljmNailcCV9&ir)8n6H zVays6D}oP!V+u*M?#j6YD_<&3EUDH&N-++qRNtguKPN+BmW%P-AC%&;F(2PO7oSpm22J36dUvAyO@}$xY z;3M_}TbZVAQ7?*iTTBAW<=jCT^&e}3hdLmC(}1(ttx{ve%i?&Is^n?OIvFy!_aTo( z+Yeg#-IC#13vw5G_{tnE%CTD)NXr!8N__eX4P@Dg>_pfRR-Olvx{+hG(-##7vma2n zytbpOmB>;>n{-i9B@yzFFS^sb9o@swZcw?9-?jTv-BdC2QvB~+@I)E{j)wTxgMlmL9(qJEOJbg5BuRakS(zp(sQf9oOCae zTQZNL>yZobdyP{-xEz76hq%DQ-aUd}`EJ*h3L3p!Y8GN!+64S2zSPCFd1{a1fTO|nmsLMWIozEW1&%qjPa5G8-X5>*Wqyjx3X#M zoY31{YR#d1`k#gRavKwtr&*4W1 zvbab#lco)_sFgZ9)7R8}8C8!68uUSyd&lrNgp7=%7~8V_EQBAa0+UG~ zOD~udK>tNx$Py#ZDN=rpRR2`=8U0NOQ5xA3GBN3T+kj`b*UlV-<>x>K5&v6dnHxAD zeq^2hfj;y=jeq-@8$fXZ*fMoLl$icH`d4lI)i(a>3xACaza0sa(B5DhQmMsNCmI+; z4pP7QWq}C20W45^xdztb9Y4FdA&5pGsEeQ>!g?p$s2%S@CfQ4c3wSfW+93Bvw&IJG zrlPcdsc_ulJQ%G!mn1%*qdx5FKY18=D%Nc2xULVRqe`rUonpR@FWS}I_g)Tu?%%6~ z#@H3DC;f=)0n-U>Y3iN+u}FCEdX3NS1ni>?lx_F~oGuz4cQJVQ@D5dfH8sjAA23b5 zDZN@dm{Dd$t38parE5)XV8xU^jmZqpJCQuE%Bu?@C_Ry|E3&pp>5Ra>fW_qI%YiXZ zd?r7*Dm*}(jGZ}B;Gxy~~EJ6_3) zmiM3zG%%P=+4NBt6R~xQw^H(iAYjIO`lAMgaW*i=rX`cc9@qDW@wr}f^4{mOtf*#| zS60TaS6Zv`M!sXzWYkH>>wI;#Rm8A&3MeM&Cr4vb}AH5^B z5MpfC=R67ziGsWQyzYlGw*#SAmwonbe zW>O29#2PR2OM`D2L-|E#Q(-(ltK2@FQwK+9O-Uk@w2B`g5-^dR&MQ84wiM6udDXP^&VpM8mPi^`^>De# z1;(bOI^xxiEr)bi zqRrVy+C8JW6CT3~EZ9pXNzjVCg?<1hAiI!;tY_sj(_mocCt`Hv@kQkni8)!U&K&wh zy1AL!We4g_WzreTxVs+Uk?J zuFvB(yx+{I;u$_SqRDl2b29YRN&T>PrS@!&HJE7bo}3&UyoFRRij*v-PRmC!&vr1F z0+2Z^sPD~_Zx$(Q)Uch$F+?|rU#?~Inz(8&S8)f>`1!9gBxGD^e+S*t5YIt$jAt%F z&xx6E2bU6Zq^Y9-MRepjRo}3=AEA3t@@~jcm&;(nRJ&)t1u>R z2*X;JHjReVRXQ8~E!B5WnL4+WNHRBW(+oaO2oyCDQ~$fN@p#9%o875x8emQ$8xl@$ z7;538KIY4vJzX@#(EJLw(AoLSM4erh$+EyZ<+36KtliZa1L0cR=34U49HXbGbo*rE z9EphKO!9^JpUmKvWfwFVSCom&)BDTSnjv_u8k7^kSdIK{oB45c`_rd*9`y2f5dR+SU$q=@%U4;AZhlhv}%y?u&z5;ssTR# zRn(e>9B=Zy<8q(5Q}tuwqq_#;Z1C`QTK(d^r-o-39i3&$H_!glxuZwmW34M4`H{oQ z5zkCD_Xx%MMLlc9mn6A8M?15S28)$A9<`O2v5XoGx2$jqKY8YK5l-BTJuPy~Ijhrq zPbPA!?$bF2c;}GYj-@$m(%R7^;Nb~nb1_P|aa zoD@>N-G8lJej1v9gL)LH9Vvo1cXR!aX0`W?XLG2Ph^)-Nz0R;H=N)!jeh*ta3ssn= z80i}5I|xA&g}`7!2K7Drgnj5^wOy9%Kxkoo^1{!Cn~%ajwK&r9>A9WVfyYg7m`nKxXgrzldyG|Tvv~pckt!PgYl08{K*yBG*nB!y3YywJ8{}EO2 zoUZbC0GA9t_$x|CLqN3Ge|wkuGhO(9Tenka-!Zw_jAx)2dl9;S`mPG+WB8W+dytyT zojbT7Jp_W=7r0kuI{VCe@D}a9yN|1mkC*aT|$8+!I+Pw{O ze*eB7`Cck*nASLm_k*U389P_1KTRSFGb2op`(h2?ADk>cl**YsYDbyuBNK;4uj;Aw z)-3-HDsP}iAJDSEWJ>(#+SiyA*i&Mz7Gk;CF1$YkdBKC#w!U>_aC{^O3{_&T(Gl+H zEAMLEz%C?0UeCyHdS*#neUa$z6lX96SB~ zT2g|OF^_Ug09#-Zmw}{4DETA% z!^iW7hC`d4!d>)>Yx41f73WD=ItYyfK78A|S1=!1HbR_G^upPYYm3k76B4eU$2AR? zYrGFgmsNRu!pU2=eohDm6sia5hm&gP4&FWCj+#?Tc73Z0#p|KBRv~r0RLy(Ws-9D8cF7|i9rqBs`_Oe@ zU38zsexE?3k`OsYU`z;5)d$_BPxgkqmdc`E*Qy;TJ$;p5JH5cn;>Bma<%BgOC$U?I zEM^y5A7a7-Lo_!t5xq#k?B(rqS4%+82oJHWQs>%L9aNnyX=+J6 z0X;-Gn|YBb3fG|RI4a(`46q!ZaBPucP0ERM+M<`pY|?JY=~TEEt4?wR=}9Ou`_AGJ zu0Ba4lv7tMo2DZDBk|OxjYYw3`HU3* z91(@z0EKKB1sR2yRy!6YN`4LuA=q|sbsJS1m;P&2WrAM3p1BuXb4LoyDfQw*b`Yqv=(sz zQjQ1hiRlsP)v_K>Q*DIh=sjhiYaHeTZ@t7Q6vXw(CAVe?DN0V%XXA^@(_R3N3X|WL z29t&J0lbM=S@fv3efVTFCxC@qXGSG#j9U=%Ff#GnLR8>@E<*&yyycO|wO6M!I-$*; zL@t>9!e&9k(}W`)cjL*>^I#abV4RotGjQeeASe!=DN_-Ky%U(Ekz%qK?FN>mS{D*O z#cDk--4b$9c3mQ_%gu^nwgGkIyrTAm_?LKN6ila*&-Ib*_tV^)%=Wjl7a>yb zo5xyT$^zwrrH8ZT5ZoL%U>~rW3(OQ$cd(r7$LCf8#*KWXlo7+t+6 zJ}weuc4=;a^szEsp_-+JsEdOjd16jZ+?dFre$DA|^5s6{k()_JNc(koTePL$FsNF<3Eco0FZw#`IMadv>kLN!@op^b8UXP%7_xrOvne}wpx z)!^_xn5n3{^;+fHB6 zhZksyzoDryY-E4h#H)CVGzPKNtj%~iYJw5RaE(gZrv!Z-TeJV=W|XS zTbs+!A}2+8+`&DT!CBELJKphV*db(1<^w2Z&K_L>(9Hz0WWwBwa*cVO9=3zkK-<8o zPp3GK1qN-KYPPZ*Srx2o93SexgW`s+EFTUp5VPWMW{=iI5eWhY@E_Y2ebj2K;UrB4 zqq4d1T$QBAx)gh~J(!h5Hyb)eFe={VnBZ<%lR?EFQ32B`m+ER!6@J_yYfo{N=xfQi zl_h*pWli)i#=5Y{A3(+so=JbdDz_xjixu+Pr^4%E)X>`lxOy!G79yZ;%$!|C_LXwh zWvxSn135dvgjvIWChPTKe)dT1Z#>>&>S@4pz&Udcym8Rj<8IUydS8VhNd{xN!jtff zCXv8`_!T_mw-@!UFP~RD6&}Y^4Vd3`gjmpi6c~9^PK1eps3aHOvol(~ot}UJ7-wN^ zK%gx2&$d6xBl8dDb@)Hf+D~D%-zN~PuK$19JMXBbwrvlGt`b2IQ3%yUL3;01lqyX? zx}YGP6X``E6hV3wI7W&Xnj%dgw4fje(v?u8_bOeAgn)N*-gxh#;~vksj^}x2yvtu1 z$=G{k?YZ|_Yp%KH@0%~1DBt>yZ!tXp$~)X08HBeYBAG?EAfK2gfO>~A@Fme{fIIbQ zCvrP_6}Xtg9}eyD|Kf4@=g=Ez+ik!%em+?8lMn`^1pfB6=MRVQ?+ouB10(?o$A7T} z3pXQM8f(V3DP2#ZZ$ zD}DJs134^w?BbB390!GX`zU{$jFHf;N4;pQp}`v==lMi*nWHz|scW_E6}Xctt^jld-N!Q9r-Cg@0>VaZB&N+K%PY@p?K5`F53aA5S% zDAk%%BP`XWO|)QR*8_h7z4t1AB%Iw-QwupYRra#GfUS#G*z5T+H#OP4Esj%)Qyp|I zl-_Pz;fiVFYCb$R3s+pO6b2-X4qo6;wz>}|ZxF0n$?dnkkHT&o6+T+93}2?_g{isE zswyQfYK5T+?pjBc8e*8O+yuQgTiyk)nECuF;N|Pir#Unz&lqljr5VmcnDqnzTC#$V zSD*XxR{GG`AJ51sF1P8dAy00SlnhdDDLXBpnO1Lv(Z67hJcp?a8z^mE<=%uU zZ#kZEVKR)OAblq`iN)5UZL`&~eO_saz;fjYV)^ZwYacY!dRU&|FGsrWoiq+)$jh?} zcP|p+b&sZQ;m~k>rLs_`X$fl^zUbHeoR3Ex{PY7NAG~83qbYg0d zf`+m>+Ah;)45HRp5etVqW~FXQE{jkqJ`-lH`5I6F#2+lt~L4MyWI*_9MZPhDl6SM0Go9dK= z4C)dmSUy(60>p0)dM)BRw!Ua2{D=%6(L1s+0}!Fo+vMsxfc?QN^FG%Ne9A{wG)UcfI{&ycXr5n_z;KVRY=zk4NnuS^MYKar>rNX_Qs+d z#ixx|I5J?Ie`Wxhwu+WD1|VF%fT{gE0L+)27)A}%_5|U;Js(c^hB!asq4^u-V{))b zstA|<{JE{o{;V{TjpS6vl37^fX2M{0dMzlr;n%S5-!)rpWh?kM7vOd9>VBjC9v&e0 zcd>(XPkOFFUz>+a%B{&-hzeVh_Zzf-yx&bwGNrchsc(qdKTkG&z|H!-`e=af`d7+X zzM24y^uGEk_ZFiEE@PtVxv`&;&t-M#($&`bbPz})URO%Z-bvQqXc*#UnPy4Ua_L;T zE1Q4E8QBEaE`Y@Gu4dJ(q*uc9$v_<}Ul^ivgFcbyNs85R|gBH z&4R@|iKDvvR8d0$93!~I=^I9y2C(aS*T@Qn;2rqZ<5vB)ceTfwP{B%37qSH^pRx*) zgA6vCCXhUiSu)btd|Ep2(QFf_D$OF;GQ>~wN-~plB>cUSF7R^qIU|=jH>R#}*=4e6 z6R}Vl-PZ5E^hsqP^IxbuOJ|Rj65yh)vx7R{;~bTdlco?5+{nYR8yn+>N4F~c zpBSs34!NraD|{Q<=5|uCHG_=sNG;129kJ7#QqW>nfV7DwICdMESsz-hJeU!|*P-QO z?;Cb{4&H(f#NoeyT4(T3M`^S_m&b`Fn&7p?fVV*!;3fIm1$p8-^oW4P>C%T~$s@(hFfHlIeX^#f+ zS{lH+Gw-iNfXwAs=Mz7mf(a9Vc&FTV1OyO4%q!70Y3pSBYc`$i>)(idpOs29aYXxz z4mfR02@maO+a=gv*+?~4@;KOuME9r`Pwx2vt^*Ohh%?*GT$idwU3H`Gg@fK-d!7zC0!gI;-#ia$h?} zQjZcnFTo|lh6%h{k*brMSsvL5R%E#N(!9B#m7r#@*4w%w-G0|A6L){(vnY-!>GEwg zpK%?YlpDf}Z_+EeuAeGTl(bGsKXH0H;FkzKb0`0I;4tQEJvT-55&fMnjO}9$j)3_c zJRhQT$`^;yl9K~2WO~4XbdJy}AP2}4@pfsblf7SsPMe0-%EAvcuaXgFFcW$%6aW|~ zK-1rvdl55@W0uUQuA7=Q(dc^=&z1F*Rmos!j-^$RkxHjwYQ&kvrVH%qnFC{DfK3SX z4tzK6UVgzG4p4mzM-9Kq-cD&dHH}P6K~;GU=v0RtS$3RhtDYuogOGbRFZiOS7bK>u z$*$Z96?!Dj)4*dyED*qdpF2E#Ir%;o6N|?(pt-@kCQ>|QiE5Lx9qzG-y!pB{& z3T<%Na*D!qBfdke%^@(W!wFSJZ$=<52aZ^Z_8awqD;OyjtT*!L|A=Pmw_gS8duJ|RBG$ZC!*@FP5m@p+@H};{k{p zR%L)GWt0<>j3#3wtJWOPWwgIq9E??^4IWmMbue6FqK%VX;^Yt^SaM3fEiqlZ;mBEU z6qK4~%@`borYgYc#Z<>qZKlN%9nsJMQS%96vvnS~co&2gaFy6>gqt!i(h_!=wyq6^ zJfw+O)TqM&?9C+ zG^=FM+v`9DmUVBlX$|!D=~8vy9n~&#L)Vyo*E0SA@>pl7*X?q|N>Tc3X}>aM)2J7W z7}@tE>U%3kb*{Mw01R{RR6wz11KF{QsU9b>EP9f8lJz>DpTdWG)hde0Sd3svFIdB& zl&soRV0?^t4b#K(i31v|r}5{U?ex)=CM%@;#$uQlVGQvnv@9n{hf7r|sa(2i`G_%X zQvK;w&wv5->P})R)9qJQ2|Smg21qp~K_tYktkDkRaUJy%fggFZ%w|WdQu2)E2~Kr3 zo9YE5`~tex0(J&KjL(o(DdWl*d6%4d5u|Ph&+NoQUdvX#4P9M+i}-*>54Ks7^Y^no zk?rG~%UUI!mM<$5xt)_5pDp4bxOv*%@=o+cTL&rmoS_tr9(6kXt3~|LXC(_)%bgN-$Fw8BlNM04i>^?L z=$mV_MuAO^D0HrKP}>+LwmxoMt7YnV4oVD^Y%z#5mA$emlQy<9U~lik!L4DI@=NNb z%H2K#{4(2;J{cp3_%?uhsHwU&&Zvs(*@nK?*->qtG;RV_kph_yRjmWbH-ddlW=c)p z2?zI-Y_rAnE?^a;64x4FpJ*gRD0*rJrB^s9q&e$*QqLr5U>Db0)X*_j@UkYTGUU7x z&kbT_O@)#uAHTd2%6^j%w*37jhDL@Vz6KMe<+e%ir&gCGL)$%NDyIGEAN(8e!-KdX zx^L>Q>HP;slcI%d3VWB>kdVYMdjoBHh}SttLMDvSZ(^C(%;>`t|A(&z64O340>J-T zw?-gWOzA5KF~G|wc=R=h_-i8bZ?)DATey5^hyNmU|F78L%y(hPIZu9GruLsgu>4pR zxIYiveRf|nA~`g_%bUB)kMc2D7^wG25gu7J%e7uz{_IiNOfm zBEi5U!9cYE^yqbBWBla<{PPFn7A6)p4(@HdJNW1uV8p;J3{1>hSeV$@SXk)0ebK)I zSR~k_4|%0=$ka@58J)=a0%EgnGd-*LPN6=u&&+S?9Ef*^@*WlSeU?Y8Y>%G^2nq>{ zh>FQPmz9%OP<-)PLsLszM_13x+``hz+Q!z!)y>_*)5|;PeQ?N!kD+04@t+bBlRhVZ z$iZO?&O>)7nFSVE4t@jeFOdDm01NytLH0MmeuoPI5MW}UHxH8p z00C!WY}owgwa)qKK)TRA6a|aXPmz@zND^dNv;b^29w zJ9ex+&Sb>KWl1xL%02Q|5Z%xjzqHIbRf^_NqRi)9Rdm;Fu(V`tXb-DB?ku<60#)vT zet`;6z8Upg+0tFaGcqr+BDtBFP zxHf4#xq6iEBgASRJu;kjith$uzl8jFX;;6+U9F?E;sr137BI)Cd#deW?;V}z0I`^Z z3_{dUK(jjvxVDYnt{=E0+60~L&ZB@x_0z_T_4U=Y2S2Z%QpRg8)d*AOI>Gkc#KZTA zs|G2i+wZ$xkn$+dDM;eDXuGE9;?#|Eeb`347H{*R7yg6-nlx&zWo=Qw-#?=S;pwjQ zkRixm^n2`CJx@S#bkQR|pF8%&HnT`y6;iPEj?Xa);E$~ufw3Kv5uAR5ElcA} zN#rwaFO>bNjxhNkY7jWzQ?Nh#6<$>{Rcq!2=P)++v4~y;g5{V4Vl#>aL4UVB#bbG; z7g7`XwZiJp7YYVjCeBMwwP|%2 z2B(qO9R<+t^3RBVgu-=AHs)QiQx9au;zUj&+j?kr0;R&FNkWM9gQbk&T9vP5dIWLDhRNjmKaLU+tD@;sBY-Yj!EvB@ozI>Apc9pBXYiJNlhu?uw zj#QOu&fE-p_?DtovcQ|H>cpFUR!pW6ZC_cTy&G>7@Hq~CvVoLm&$Kz5vU94ORw7ro zsYuo-!pIvCWj$}!D{`{%Y+`8gq0wDQbWOTP_Pomk{Mj%%l`nqKENsU*t3FUm;_xol z&UQKJfJy^gZses)?oatNDepo_RU=u>oyMJ=rYvS}w@v%6fdbm^LoBta0qra`)f9a+ z=|g%sZ+z!hoGwG+vGWToD{bJ~VtTEUVZ_7W$fsmHsvxq7~5*UakOP87omT!!P; z(An_k(ybRM)d5kHTZXgbWt5_j+tW(cXO1a~q$F@~+hCRI<8|=>R%Y)g*r=N9-5DEf zay5lNrQpA(1w@Y>x`qaF{N()au&oa@Gs#OuUfc)Rax&zuBWW*%SFC~TC|{aG0heF% zv1o@3(O9#_RQV6w(E~QM*5h}}HP(NA$ZYgB6936J9?kwKypX<-T(y_8tk?VTN5%&^t{F$Is(p|Se|lN|zg|ZULk93bf@mWL@Fnm2TSr(C z1xPSoPh4AL9KZg(^Vg{|afklKjN=4KXkgW zwP3kjt2p(rT~r`(J3Xug1-x%oMFHu;ptGMS;6MY?YFvN<252&_Rw3ubi^#F>=w6$f zuRO_h#C-Nw&?5H;3RsUExH)XT)}-H0+CTwE9qY&oW8{QfII3$-_>`?j)^3_0UR|HZBSP5&th)bQ}CYHnOkRk;A1# z;k&d2Rrki=_^j(-+i+P*9{Xe~^!}%`{89>a`Z^SFGK2z-nY1=@L2f8u3vJf_l7sUz zXNR#7Yy4FjX}~B3u6>k{i%1O&XY^UkihgPDp7DlWbw;MO7Kzc8@M0RJ6+5kh*f+EE z&cmV|3F*RLU*2SN^cCnSa{l~|se@-o`*nd>nqh_Bw*4SIqh!NRWLUyD-zMJHNq@Q# zI#xy7MZQju(>w=CusZL*(mZf@Z&Fva-%)`%x%uiPxQt<1pb(>5gPOIlfG(-58FGO+ zzgjShwDRE&J+>Ca-@+@86A!_e1Gh;C~q!rW&BE$ z(K=VTe+nV0_Wg&;NZ5J~yk`8J_EMUX+I~l69e6j1*3N!EIMILti(6#2!zuMZleDw_ zenH^1Qm(8`Nl#v0m0bZ>$*oRTT^&+?q6UDLKL3f~g`aWBeHaq5;&GY|+CQGV7j0BC zY8E&eOB-=ew`7?4>6P4ChYzL}(?Ms*+Ws|STd&k1zx6vyvRd~u1%RSsan!wxM&o{Z zUcRS{LHG|u$)iva{SrLrY3~AK52Uk6p&iLh}#Lt3RBKFjH^`axzd{2a~+?J|c2 zBSA(ZW}^Z<3AM0zar0O5Dz_OHf=$hGYL3z4nYV5L7~)nksFBi+)i$kvK0krh0rA4c>%UW5Gl9a zx+k@w&4vOT_A}a`RvJk^5Qzm=ML$TV`wCiEc)20{C4LN=s}oac&Cb zg3V!$iZlwQSY~ypm6U+*bYjDL)0Y=S=RhyFq@aAHk+T9yR`ud7HB4sE)moJ!6bpllJN6M;mxwuDuX#$C(}W>p}`JKMXF1f z`|wgz&ck$?U{0)xpT+HXas-%!x0h@38&^v`)DVrm>`n|Uj8+(vMAD-Zc-SE&HLWE@ z`fbLqVlEyj98L#B#PLqRp&Z`!P?p{=VR^qs<-+L`cXfzBSQOuvCHH+&CsfCl$K|=l zSt_GX3NF$EWL=ENuRKzG)*;ru(Igij1WiNVl^>+BpFi5+#fIITn3W{Xz75rMiSe&$ zvJ^N0zZq2jw>4b^==#0jz$Mc7hBc(hPFx-Z#Dt&~mvIjY$lV{rftlDEG1-BiZ`9dm z2<7<|-&a_E6G|*8T)RLvskP&bq)uR%kdQWWd^Rt*WdO|F3-+IsFQj6cKFG&n?HJa# z6}q&~$yK!Rl{k1Fx?cKG=Bv64+a`Z1F?(5=s!@;v{D3l<(Wd%LtbKOIikWod{<3T8 z1EFB5OKn{lO!hY8LxON*GZ=K7EmqGxYkW3=0-jMQ{i|P-`&XcGk1Yz*XZJ!-TOzh1 z=b7GE6^OL!WAR`SORtdVc;M)iy9r(~AKqk9yec&>5_js}n9FRatW^Wke%uYWC#HyK z>fC*b_2z1jJ*8rn8U9+o5WFAEp(>N{;@wE61AQ_(*dQR)D$bFeQitno6aW4TBONou zdB-*ZNrtg)={VP=>m)p8>AA_hxSnW(TZ$5|Df-jH)^?$JK3~EyA% zAia@srZ^?*z?^QXgqMYBy5iB^GPOCfE=L{e;PF$BTlcE0W1m|+arVA^Z8Rrqhf8_b z&GU@|C1+@C_%*dHODG2CLfJ$1@iw)th zyp`H1qIUHCNLPg2cc1-BZJ-y$eY?jWg{DmuDxW(;R7S4~?PCkH18t1-1(mz%Ll!3< z`PUAq>BLM)Bpr4QiC6@J9;YziVqS!mRv$tv_+;(G3|8MA{)Bk)_lvIY7rdz*R@1$d zP^Kseq?3+G(2B?(3TVNK4;#$A9kzb+3I+H=jvwk8F{9}ad*B-Lw+%0GK^8)qnlFh< z%Sj605;~q? zTfOyOlx~4yS-5JyPB4k_ElKjI8ESZ4IHy!#I4kWLd!arpyGD-S(TJL>niS~fa=WoT zpH`xsGXPsLr+mWYC05v0Sa?uVF1=`TSm0xwcI;t~&{xvC+^g<<0+q5uyByE9AmVg} z(q3K;CU5Pz%nz5a9=|2)7NL{uDkFRGtqE4q7_)KIEj)Ru_!hhp@$xD}r^2kU?q?o8L+5}B`{iXRcBhAt<)Uau;){$lLgaD79N&h-xdYJ6Z{ z83nXRGKL-9SgF*cpE6h-^}ieQ9vY;^az8a;;B)(nHkMe@^GY9hOlUDS$K3h|tsmPFm+WF2TuDo;-#<9MxY z&^(@Q1PPecpVOah*uY9b;1Q@3kih(LX>Vjz4ep&jKixl%!snFoEN71WLY;7%2=B>@ z64&naurRRL;<2yITY;@jELvp)gO0PxS4%@i&4P04dLC<;VmCGct(19L{KJHtR*cB#i0wxO0k9Wu@4Tk+K5 zuD_=n7HRX1ZHJD+W9i2m+?-Xa^?T>{I~u+uEW^_;VbeVa!iD8h&6V}(A`gz_>&(U6 zd#pKwc;FeV@dG^_qLN}7Un0v2$P7xywYB*Tta~uxsLrAVtQazmzKmH6xf>1HZOnSz zAT#(u(B@TS({f{WEgeYFrs3(xjNVU)5*io$8VfZB+PRZ?C5wgk-(RoJC9Eqyk8K&k_3;AMC;hNzXYi)0|zqhc_+Rm^ZGjkmKdS z%=vb(*pVNm6Cb^0c-Lt>zi8A^0B}jcxVT@+|9ToE>|oU8Ud|vTA}SU z^kL~4#fIRCf$;U?OXP>p)OSwDcZ!H+A(y{Uz$HnE+aJtw;}@Q7pVVY;-3ePqO6H*e zM-=cRF&n+IXdB23=%+uInk+d1n&p81mmB-P(1_!aRs-2nGX~v`%A?K-(k|FD6*vq4 z-t87Le;nUnz;@gonrZW8QWdU`>xo<`Zl{xq;DHb(5S`vFxIPyAIfp-_bT_ z`ehQ5U>9`03Ml5DdngSlH6~O)a{BN^j++V65~U(pri~^!wV;~vPV$$6BMxXTxFcd+?=3*!C(u|c;wT2 zpnam7+geGVYO#_;L|40!RY{ZwhEMlZ0+#)#RlPgOl*e+!?A*Ux4dqc6YDCP-C9fW9 zLr}o&xp)*Hm2p9W4%9`T%N=K2pwIhV(MZ8V(B>NZMb26Cp(F~}@utgIL|S3UdZ2*) z$PLgD+8Gf`e{GHSX*i%AH5sbcA5p-v{AFzz()woaI_S#igVi}CxkU|qg1Tn%R=vK2 ztf1|$`=CXdVaPg~RT)9&L&!4I<}V;06u^L-$eKdZuQ`(cTPqTPlzc8dgesI3>v;DcdN3MY z{NvD$3h96BTTR|8YDQQE&a2ed9a1qzlSHtYW>p;3rALT+OB?fxW=N%yj zh@=7 zVU$|&S^F_P&I<1j|4d^g09SXQP!$qIX zp?Z%o5^l1*P{31h6mYdmgcO(myJy%AJ*ECP;TeaL|2YGCU;o6zKhgJ}c=#WO2T#x% zZXx6^A`5QkM7NqN%u8zaMKBhRN`#3Ks-^k?1+3@~qrJra+&920oXG$2p(#zTJyM#F znRkYj9$uA9daxq=InV|(pr&&s^>~O=aLbnv{EW9~09iIGZMl)|c-u&HouWeivllkG zrkQ7`H>bIloXID%p_`{?nfL-~vcNyoH~#;&!`y<79SMR(UtSyEkWiTSxJpPaf#nWQ z@xJt5m_Bx)wP>@@wvp>(8r7;sJ8B}C}MZ!dqbl&9MrTP6Rg}*i|XIpx_YAEMjoT={Ie*T zA?B7BQz5HAA<=kN$ffo6-TBjMvl>s6M9tKn54%}1n8DAy-w+V8!?M%boT`;MS68&Y z&douq;4VCmJmyRzZ^b5xezzPrY$r47e3Vht&9c3QVI8>4D?ssW- z*LcN`s{r?rG+pZBvP!(oX+ps4+#K~d5E#am%YzOs0RJ7WG=m6j zlflvFsEJhLO8{!yy^pr~!o7`eyxP&q?hY{Y-?6Iy#4|An6+}cNBQ0!7Im=ezbyN*5 z^?jhjQ6FDPcD?MxxyL`L%?Q+j9!o~vVnNSJ-Q`)Ln(jbxuD*mAR-|NK_X%Z+hzaUp zpk#0qH=i(;C3pSmR-;J1ZFBid9RjMOiVxj}mc%c9Zt+kN2QvAaH54uh>~yt-?n z6mN5x)Fm>s0esKCVl7}~*jk-(mS3Nag7!^7Xy1sQz$+Y&zxzi1?|Og!{wIF^q>n#x z%%A-6M{N8D3pg&wKF3;P>Ih-)!rg1)fZt7LOEK2P8|!JP7t$@qLn?wq(fu8eW@DQ1oOjHA5jv{kq!50~ zn^B^DWvk`f%{rrzrUM_u>;v@w@Kl_GJqJxgydW0ZR05)2+eJx*f1n45!1h z`5yA!T}NW34q{FJ4*Ao%$nfoHAN%PQ-bXC2YdbY*59RZC-N1qgQ*QXrDvGQaEm|X% zS<`VmGx7C*AEpU5eyL-c45N`I?<5gTb4UAf&DS$p3u@}%RS}9V60fq}WaT<$#t)jG zW#ayhc1;c2OB>F>W;aQx-1Y~vJopwTWKp4N}E|_KT=4Dt4`=ej^XeZ zT>J$s#p9Rx86Lv%V2GVSy~o=q3p4lxa9l8LJT)f}Zs&ouL;d4p?%k?OTGvdx>fiC` zMh?vWP7m)_?`^33kq9&sN<0HO9~~kFr;H3$9m~2ByGk8v`kjA_=fVzfl3nt?7pBxK zz*A#F7T;Srim-QY#maxaFaA3gv}(o#u7osen_&UT9swLbbIZ$F^JEB%qdg$BbI)Jt zy_IsRk%{>sYBC0TP=x{c13W)8MmT3o)^p{cw_KpA4o{N7TN zpUdn)DSzkkQ_4R)`e)ODRJ@59#j=qM2kFm;S|PF~abD{pEt|gBN)Dy6lB)=NIOU)` zZMY+x?R!Fq^V3!N+AV~?z#qUa76c1I6Ib2vWiW->KfSD1^2SWHLgZK1S2u?DRn>%f z9z`CAm}I;R1LFTn`1mg)@_)m?ptH_F6!60B?`Tb1)NWavrlclIC~2^hV+TyvR#Bcf zd`oU7gcY8LvF7>*4$&|)erY`?I|?RnDqA-ZTai%VD^rT=)j;@t-rW9bpKh< z+iBQv6m1J+{Jw#u$K#AC8X@De(6tbS+1_sF_kjgiZ#R7hY|HP3a&iftjBuvoEno4g zOpx?bJ-!>5OEdrl-u{7HH3h*!N-mCHf=iy!K8&?g&x)2#U6vYSo!&-vaUmygr$Sp& zdTIDmeYcm($uWffq7?ozT+>*4gegqaSglHD#k6oo%)gD6n9xhKc%u|8E!JOJ2QpLk zI9hRk$BK%9^tIXNw3*v) zC&%jLPQOd4%do%T9~fo*Lqw?`VqY@t@OhHlP??_K;rrwcJ{nM-p;l&wzC=^cAIZpAvd=N8DFqv`~Qc+o3@Y=HSG4o+C)V&&#=OafY*sLqTlsCprbQtt|ckF`Oja9 zB_T%mGW843;=fHt?>QL-$x2zFBSD7kV9pzN5w>f=A_bG=iQ9m z@Y#+OtQ}@Q9qdZYp$n!a?JvEx`{N~#ikzq_g5O`p8QoRtH5|(9?2c}XjUb$v@Rh|w zCwK*Ei?B=L>xEtZq~;*kpSG|OsE5}n2R8F~XTLT7)eQ;njt>6)cgaxnp-7ka>&glwk4me_6@Ggv_D;JaAEeosY? zC8onOymb^%uEXzXrz50i#Bt{)9igO~8N4{adSiOwU*0QrY5F{`IZ=X-KM;4b_@b|98aaa@66t3yl@aN# zzA^rKmZf*x{m?-EjK%X)-3=Z!g=HE#C(p3m%pV<+w0oW5x>F!;AHVt4AcdEagxs2^ zZ8<1I+VI{7f$2ywU$g%Avb1Ld91J9Z?+G2nT%icI=94o>jQ-^n3g|`0{AKR^#yx*% z_fdey0eyd(f}AWTK+#?5-JiVFsCRgmdXKYQA}x-y%_g!W=m+iD4SQ*Ja83<>z=t1t z=;Rl zJT2P|^qVHMF5s~or)^?Lc$C8XEGNCtqtQqhSn0WHsuZ>tlyHp;Sw^En*oP)Me}EDMz$WfGP12Vd6@ta8f8AAR zBUBV`k?`2*)2Q1o`>O7v)7r%{Y+8LK{}~{C*sV?^BFP^O^~NSQ{tJ=1Bb)XPMVs%~ zBxyZ5^{Ka6NOVrteLzY$D1VCqK*Idri7%;&*gepow?z(J8BbM8%r<-2-%LAwgL%`D z8|#N5bQZK*FC(;vZ9$fC+J=U^Qe7jFanHO(XsSc#)XDKf`3_LrdsH^j@G0`6x z>i_fgKgjHPN{S}c+fUdt&QFtWeq0yp{UO5#s9$Y9OF~|tBP~OJyBhuUiVwtz0vejn z22g-e^zWCs+5Sw2^H)9S$_I2h|F7RKH(#*b`g6#i82gi8{^XZG#l=4h&OfE)pUUEY zm#!>oZ*f8a%Jk^GW5Fy9bjD#~#y=JPJ^e6*j%@s^Wqvv6LJoe0>CO^c?btc)WU%!X z=~KTgURmc}Q1~9e--(mVnJXr_nmf++FvR9L-*mxkXF@9Or_!A&IifpSWpC{%56a&@ zQb0Q&Ih>0gGtd#?GDMu*h?zXBtoyPnp7zZ8bE{$)mBxE5CYn%*_`s*XaFluPqf;y% z{#Nr$YaH&z-bbeCwN#VT(=?J7c>64^#5tFo!4>NR=&Y-BmR++katF! z%WPW7<3g*ByfUkLIK@=to#m3jVgA^#=Q-d0q8W-C(=$_Nn&^; zKTNQ=8Jo8KF=m6(6TE*IPB5i$3R=G%-nx3cm#d@piTy*1k<4xtVwdT;|?v|w-Ut4DUF+$v0$Mu)#rp(|Y?=@JUxV!&wjk%X z6gO^MjrZlzhG+;mI=kgxYc7W~{msN+Xu}3}y^V8oLd^~bi*%}M7jAi@OYxWSA`5{S zWnULNoCKp8Js5h$@@675$}6&(;vPbVCT8`}vp>c$7R_7u)2el5a&LFw`} z5SKkjwZwPl@`LP+JJ0KO#Auybno01x@F~u+a?rPRi%1F?93Fd8E)T$2WybtKy8+}? zJa-P)wh?64j}&EsTMvsEV~J5>h4Ex&imTuPv9aq8oWiiiye(n)gD1ns^;1(0V9wp_#z>vugruKSTyu+` zR=mxl^=51KS7GBtJ}%-8)r}#{>GN3jo|6fVErB8;Oij4Ug7Y7a>vv>f_~B0{z;DMx zUTx>L&1wgNq;g;^c_Amr=JE~lYeUYy^!NuwV2+}j3^9Y3AKUOA;*zpsjDneuW@X>Z z+iH7|&f9*SRX&v|)}7SPe)%(4OOur6j=Yw;v15%W#q>=aQH5_r$Nl-9!)jhu_J}v@ z@$G6Ke$;6;#e(x>tto$w4J()u&a<;SyiQ%Y{vna>GolB|xbO=l6K}NQm1&H#*^N7-@yqVqgRn#4&F3GpwG>*Ww zN-Vt^ra#h^KA#w#kqu@_B5&Z|96mf;vG$IaSR~;aM*;P+22aq*M(c5% z2heHdBV&z*=H7K}r9_1A)Xv$vCiB-u^gGHjuXUHgyDh#}+dTAgp7+`hli_8>#Jozl z<5_mDkH;KxtN&X&{qC%Af7GqWQfExe!9yOeqBqrULknMP_mM@Q#5tP;%RnJM^SFi5 z3#>Tr2Pcfv&%XY+y`P_}P7__#L9kD&IN|*b!KYo$avy&O5sUV1}oC&W2l6D zv7uf=Vq%487~AtJGaCZu3i18S!0%75a?-uW^U7+mVx}L*ma!%~mt&V^3yCseExccO z6C&YJ%*d?68UiBN9AZAAUg0%-7GZEAp6Dn)NUND*m;82za-8U{t>T@)TcO|qBULGP zMNx@SWohWWrSPCH-p%N=?Ur9wL}bRYZ^MgU^cP`vdn9kDBr5VVK{aHMF!Ra0!U(K+m z!@34CcNSG>Jfoc?P(ZcQxu*WCw)&UOSE*Gb-yOWGyO;je~ zD{%+AX<6dc-#p>qH2^bvoug^ptK{wn_?OuR?joxEl!4fHzeIh%qnU7&P)yw*tbexN z%j@!H;R0ccuIRJ(`5qLLPzt^-fUthFk<+xMj#6obZ7UpC{a5~&B@>!M<@gj>_>|NVVe2uu1 zqF|};J+KRFFieI?p|YCGM3XC*xc&M00A{NC^t7y zu2Hf?Zv4c+Q2sh)*|E|$-{ytST9>1j z#_y|^?F1f}yGyw|8y|kri(5w@<38hARCS}Lb)b2YP$?H@&_la>WMv)kEE&IRW(G;8 zniaEA9Z8CoueZxenKZ0V!)yH6R9>X2{#@B7!i4GYboAAn>#NVMF=xHszeTO_B<9_A z6hP~?rziT_!*_4G@hZ0GwX836=oD@$Dcm;U;gUN%Em{$ypqgYM^eb>3tLaXY(~!Ke z-cYpOl}d>Pb{%|bmoa&=2ft$>>*X6BTzcLeP0mlcvx4o-Au#LNP!`!yDIL}#y!9Qd zt2=H7V&Sc4Qq*JAi~Sw?ABiJQsC7f6k0rF6UpWuiY&P_f=jW7+-()1k>P@uiz3~;}Ophbrv!gVp^u+j8QD{P6{;(oW3Cx?Ok*Ar!HN)lNY*9BklJg__R2? zABd5Y;4ZnH3CI)Ihg;z?v9B+F^_4DxC-H4kcFb-4(2MU-5IF*W$D$3qox%{UCZjPE zU!7h^R+v3@0=H^xyaO&b4#(yil6E(b)lf7Mr%re(p2*`-xE|+>%^}6mR09^%)_J>Q zzYy9M_w*lrN8!}om4})RBQU}@>$ou2^KWAZm+ZM>T=9EW=(k%;dB6*Y*+*AJh z9ni{2#&&wd(xlMMOnFA2d=XB`nQt@q(W4V_BxH5#GCa#Ri4q}hunFgMe6Xew-Bpz^ z<-`<}mKP>^tmb@)qO^1BSqP7(a4%g+T;XN+}`)9ilv5riddf37&) zCCTmTIkpF>A_Mi;TIO_KbyW|+-s;1i#YV;S+3T+86nmlSJL@+d5@h39(`ns))_Hy^ z+84ZMa}3q+Z%v+w3w>`t+!-Hcv+M`dHE?=}MIKci`yK+)xYA#iWNqR6{Gq1Q6JCTE=XGgX5|(?Ty#|P2`7ipP zGH5y5CaIl!=)vPQPs$P}4VmLgW5p7w+|*lW*$H_^9HI5S#=Vs@=Vq@xG!aA@z_R08 zTIH^vL4EfoN1K=Te%w#}@YAy<9s7cY<^vg#^o3TKS|eh<&z0XPtu%d3wfw@B*M4^w z%5n0U1jhb~(=?IF-d?FE?c7p(Zj!dJWAA5pNqvc(r0J|mo;|sK1COe+o+CkuPH8|t z#zy3f%ZOkuN9LhbXajGl0_)Q_0eEbE0xkoNO%F!8Cu4NQ(>Ljq=r^)3q_V}XG(^q> zi>fvB>i}L0V=kSS@T82`2mO#?KR@HuBR1I0YGGrgq5~K!Noc48u6|MZgZ6`+h_lX{ zn5QcXIDQYcXe;#lm zC|z*HPIva)86Xd}xr0!$eaBs*NRUgZTb3PP@RBk$Hu|kbt!(o-*!_r8P7(5Bqd6%f z=4x6S)-dAw*`YiRznj^{!Y~W;FopdNUJSEE|pu5=v!U?PWY4zFNRa% z-S~*~{G2P=N4<#V;1e50E@m91nzV!ux!{BUBoP2xn<8ib+9m5RvrOI(_YjL!z< z>zGBkUq*~>8ct@wQnU3p)8yky;VILGe0I~-ft)IK5MEa6x#z@57|9B(Sj+o)wTY{G zh8%OV4J5YJ`=#0Lx2u*b?Zo4RooJ_3My}OYcy|g*>^)t$dkuBZ4cYk&*F2f>9-`qw|Jug5VH}Tdk zE)z&t^21rk9x8WWyzu51X#l$T&m>f#9F~YP5BY6gqT90#*CAf?5)a7G9 z88}Lyx$dLdfvn|#Ur(wiqwTzGSegQg^BOBW6bJ@I2wMPYn|^@CA29op&|RG-?%JH8 z*5os9)Ob1Fll7p`YPjstFw~wUOuR?OVxFMZCH3Rg_X}d_qLV| zR{pEqa>s$HRr1x8l?Atp60J3@hB{bn#*h2qeYWk3W}G#X3TRU+aRw=9F#YUJ?R!sc zbvzeg1k1DpkjzK8@O%oF!L?nGrDxA!vv~l%#7ddByMq{*fJ0hLw=N^P%>z;x}6 z-EfTUmEIkH4GxR3gs5$2Wu-^(BEoTZRN;v?FB`3^6hs~%^s^1m^S0v#m)N> zc2Bfk^O!e9>U+J)gX2f6W70v=#Fkp;wr(K7CtgGeD;0KKp|0y8QjosULuXm~dL$HS zrjk8zjV^mAMMPzpxIs55mnK`|TZVJP+EaKtZmZw!G`fJsBQuuT=}bpVy3v+(rR#MJ z{nc)XSZS<58}i<0m_Y(RkrdJALIBcZFQPUwoR;6`Wy+=W%llK@jLMPtE}VKmI$GrT z74G5-WkI(_Xx(-aM6F#gr?GtM%mJPiTWW(Yqh9Wb-uWD-r0>gO(HrqpbxueXcetXw z>d}GnuLA-SnF2kISk7+-qH?uB;hf?xp$N7;L*?E0(wQwY-H|+al@}PhD)Fphj{%4C znm``%`jycyDVDJ}VdH0NBiO|~v=I;C7H`=x0|sE=I}O!Ub^2v#$2>*yU(SM0nw5QQ z-Hz2{y*l%M^Kejfdv*dWZ!ryBtt;dzGVg@lDx~wzs$hysX&2`8 zEJk#QLd)K+)!WJGY_Gj0!?HvH2C9i|6yIO*55Tm(9k711uj-@RY5qn6)6cra7V?bo zRUE16K=)5VkzM{7SNugVo!djd>M|~@wM7WzQF}}vKGtj%DPBLWpoAV}3U*^~gZs4U z*Z96_!|iv~KL}3NL+op}6yKH!*TYYmuQAzQjJqk7=qK;yjx2|@`h4cfo7|-7xhl)7 zK!6(Xq&g}x52|zFP}+`h9~}fjkqi6N>12qubvHhf`9iSx2Q0F7H~Amlie9t`^R5x` zASMbkwp%YF7FIBhcftZexWAmH4fSv0#`!C;Cw)Pv|8H1?Cn|U(a(n~_SGb~A6L?;BVvmr#SZl99zct2tNmf^u{B|DxE~6| zO?Th<#A-io>S0A?|K5tCfc`^OVVQYt)FAV)9yCR)9&?pjmiFL;_IN!&ZQ9dHvC7;t z^HbM1yz6dzi`bsvCwP{oI)DNYhnq)a$GvrF{E^oBAo4VAVMpwc{qv(5Wl8%2cpSnf zl-8v?R-Ys&5L3#FqM+zJLoZNS&rYo%+y}qM&V=@Btru3dMB4WjDn4)8+K z=rY{y9&ug`Y%+3t9xJ~Hy9 zq-6eb{yJ!|f5eT>cI#F1*VxkgO87Oyx>~GH_p3~hnlqD*Dtw9$#+2GCHbWO>8#2@r z5r?xmT-AhTQO_*YxV0u&&$O;9aQ#rj~> zGfe!mgv{bq;R#J!l>PyxK1Yfv`>KMcW@X8q#o0?R5$l+VY?fT8>j@s+ zNN*+wF`7GyrBfHj5}Z5ZCCeNTm8OGql{EolpY&}zfop0t zbd8($T>-hmg! z1Trp8Ih*6EMe~%=YU$*)UNS$6Z+GC|0;%w~y9!lPj=LBtIZ$@iCG~&aWp&xXPgkX7 zqxDv^G6BC~r5xHO>mBJnBCDM)TEB43@=LsKUife^eu_jC*W+cMVh( z3V*3-<%n~NbqtuhY=nJK)^Ai=1V;=M&C7x&-%X^8LVO=6j>);S}4-@zN_ayjf_Q??xWsmx@0 z^L`#YuoNaTho{BKH1KJlHrMO9^rv-+h~0j#4bANF26;CpD>E`1MGq%S2ZVfx%zgR8 z;E1~mi9NK{Pci8^9Y7zByEzvFprK*-T2+znCV=NHkBu7kbK(aYg|2>}Uu<@_%7bz* z9R0c<>w-984Tf9w2>}fLe0bkG1=T&kc{GN}_NSy0`gc!Lm!fa(D4{>YL!4EZOB#d6cj9pg(w83l;s|?zQwQh*DG{sfThw zf??n*wr_0IfmHGjUjzk3IXcB6N)#8BUU4i1dW|FS^Xd{s*Wz3rKXvC?H`T!TVRrL{ zEEr9dV{&x77x4W%`mJ1qX*O7AF7lMj4R1!`+V&nkiz*24 z$HAp|2D4&4W?nno{$gB}uvdWsSAd8T~3U zXl^NVEs;hd&$)m8amO%!dV&&?G|hSa={=#iNzThTMe`UX6E6E)+*L%rtaS&UzWX+y zYP+%bPBhP!v`?__o4_|O*<8gmDynWajUsG?880e{F}Zz}_b+AN)P*j2(LJEKSbj4Q zx$a!UDne(&4cc-zXW}crR)$XH7dbPH^xo$Qbs)~!OABLfPV{)^kF)&n+l~@z=t*$m z(h5F(g>%$tH)`a;VtJ9Phm(z)CC`-B_Va9oFr|^?+H*Z~tyPdK<1M(+w z$EbI?EGXe5vy?EmhhcK2xGQgRXv>*>H%q|FeXp;cfYp6Lz14PV4PujsgfV3p9$-5w57YE#R`&vimV zsZuvBW|6g>Fx{{F$fSHltVH+hM}eYD;e?&GU5k@%(zh{AcT~~R7uwuw$l+9{l2vB7 zDMd?c%PUXNdj2z>Ic{%?OH}I302L<4BfSy3yFsnUaN}?)IE4KdxLo;4j>=1pLGzAF zj81|{>cN*^&5KmS67>T5R?=2X-560`Br&x!Ga=nrC%8>kj$%~#WSC+egM zJG05pU!**pd6t^4*g_|tZ>v`aFTcJO|E*?zNAc}7MS&q~#c4*#0U(`uew5^{c70n$ z{DCK~VAtjYo@AQmW96J}@rb!OeN&Ni3U@r1Zo);R7xnDOmu;qfl@Am(0cMT7T(e=9 zkw3gFR5bF<#cy|Ne&5l0vtJ!)Us3#j+Pl_xrq?)br9PsPbVOysMA-;g(e)rU&WIv+ ziZCU)%zbB$M!B0sL#a-3$*tBd*<>}#h&giE(hRvw?lKfDoqwP6=A0Mj)p>cmc%FC9 zo8R+1zsvLeKHs0)I_+2pXe7E7!SuY#nQ30+d7xw??^$kU`Pw%UzDAJS9A z;&!=`=XUW5sizwo?7J^DXUH5eyi?4sieYh-SSgF~@%y?j*3+F^A?Q6dhN-=h4L6(E zpnIY6jz!-jW4mXc(8H?{eQYUziNC_@eIBOWLLIn9X!bN7RGBb$=2>#$rb#_s8w%UMF;?E7sLRuOa3% z6GhBT98+yK|J)ReFIMa*p;Hrk$=nb{f+}*va`d}Q*iBzIY>^i6JPPM=^2_G1sOVMt zDxt;oORdwhE+{l|(()j=3kHdKeM>?a?K2dW3tlE9njj2;Q(xIWTD_IJNgO=;Io=XDl4!h2?1$LuI zDi6$czv>>1_pMB)wyp@fYox zTnBeA)s;I}^M;Sx&iB+BJWT6v_t?ik_OpkMOc&`>)rIRkQzl65Tg|Uqc|!#{&seV2 z!-es7B*K`Nd1SA0>5y1d)CK_`R5as7Dt)oB%2G(jP>EBY<@{o{w3V7VMc^%jXLC+` zRDI;IXm7D|ZFysFyt=|tkF&d zr2VJ5S9%QqWr8KrRrT}_pkSC3zEr#13;mgqM@ri76V6%cG&%=S?AP-(xt_CNs@_Z^#2TrJF}scJRoCAbAxZ*?g>UQVX*2xG=&l44%}fF065^E_xW||e z_r{TiOKPMnt%gkP)(7MBh^ZO=+h-<}KHP#s4){mIK;Du# z^9XRW@-wlqv;Niz6e1!b3Ni}r>({ufWQ1g_|J$#Z4gmTqm^kPY7$|Z8G&&RvI@C)K zfCNG(9MoT4fdBr2f`);GgGYFUh=dGjQ1=D^4Fv-O4GRMY2MY^n?G1SjfJKMHAY&1M z$5b*xAa}rG^^f`fibAxi6I*%m6v$@m7=Va`^A;BmpOT82hL(<wh= zDQOi|HFXV5Eo~Fik7ni;mR3&AF0O9w9-e`pgMz<&4GE2ni%&>QO8%CTos*lFUr<<7 zTwPOJSKrXs)ZEqG)7#fSFgP?dJu^Eu|8rq+V{>bJXBWJ;e{gnwad~xpb9;CH8(&ZW zn7^_GdH*Y8|G*bIgfD1VSQuD@-}r)pc7qfcbXYht7I+L1B?Kb}OmbHLS6HGk->W(i zDcF=xv5g%kk#K-Ei>RF9pIsl^X~{_xi$_FF3sQ+2Aj zD@oSRZ`oXo6V|+ZIC(?qlb`43WI$*}aYok@pT2B8MYWI5N9C!>iN64jv@?n<7~_!% zyh14AS(Z83K(OeMk7-YIZJ+CAqDm!X7+(NGU=uNi`_(*;B1`R<&mu%=uQ6Dg<0vqz zs!{C$%Y1|v+9XSH5uV6mv3O;9=^K2E+sdD5g$@ya_V08;M;Xx@-0!^r6z_ZNc3uEz z&k`bvoo;rH=ecaa2;^VUv}1FZ92`!>z=ho9?h-9YOvRYb2IeqA)+8&WZbVUbLzP^- zp0qJ+{4^(c5ep)wK#YRv(7rSMEE{Lx6kfr#J$|>8@dLlR<{V%+?GCW9< zuyigTC0+msr+nJclf!ywdC0~5Y?DsdA|)7bRxQ7RDyb?&93KieXw zIH5lKvTj#_*>!&Vzf3Oi8lU|ZR!^O6p*@#lt zxrt$ZG+=;>OW*ubH1B$(uwbpu{iEnLZwgIzG#r+a@V{FjJetk5E0S}13M#2B?RKuz zFSVvxg<7N{G;|};4&|eFPmVwBD;VN8BuM_M=G%&eSDE!--0Vqj2cp-x^4&H0Md9@v z_85-x*zp4B;ws!0xwgBS@GW^hxj&gNQ;+Rh6h(G7Q0e#(?(g&lC6u|iLoS%OpJPTz zv~+GQ^##D}jJfiR{1|Ci(^k+a128zIEK`Y(X&7XWE#i#HDURmhc0i1zNr4^6j7 zQibEf$GaE6Ay_%I=OfLwJB^kCA@a*v3A-Y^%@2~P-M3IjSYg2$ z(eOrz`kxI?eUkHiyEt;a6Uv_Z`0JC#C`N2f`dCpN(WdGwvXJU|UGh_HC$z5x3+;yfkEYP!Q$Cx34Z)j-reC>T$obAW+#MO0uW~pFZC_z{TJhJ~_ z(;?oUr9O6y;5pqe#Q-u3wlE@>G-1hkYZ62abo2nvl~2lV7-omk0+htC{w)9J#sDg0 z^T^)at!w^1xjz-l{ju0xf z<~{UFM>4&h#DV#i1u9#LkGzHtHvjKE41# zTt+fMkq)Fz31h3t{M+{`!R-P<6&e1FZ}Z#dhgBwB)-Wwr@f)PB!fwly#@;Y9j2;F7 z;_fuixx$X>#zTJK=%HzOT;3U{DWE7?|>3K121^W{XLIki=Gjc(<~)?3x#?=d2(rB)d6Tyb8qz*Jd3x8SndE z`h&sw3xFlh?c?fN<{i<-ZPfbJjCRN2T$c-|;KXM9;dbeMt}nfOKczmrxh;KBFrzbd z++ImoS%lgi79et{J08TqK7E=v#SL0_r<@)hK!U~_O7FQ(UwAC>OVrwWN_W2cy2-;- zFBdDk0Orzl9l%Ax2+(jyAQ!YP9tJo6S)`)*Xzgihe;6V@J?4_>IE>jcYLYmB!7mQ z@$RxDvsOEi2KZ`t;IJEDEgGYwXrxMW34>Le+!acb1^sVWP;}5x7Jj`- zB9X|SyN`EXPmHg!K9L7x-NCC~Q|fC?IhT`v04FNtP@wCu4IyE84Ph5LeH(mW-D4oPK5Fe-Hf=?2f0ZO-v-P3;4)Z2Yq@Le79q1` z&&Oo&8ONNG=;Si5X5Yjoj*lDrSF|9?^d-e6>!MF{u=K>ke%$xFVZN`mmfXuPdZZY3 z&kx}ICzCyl#F>TroH|Z)*cB0CtgGFT#(R>c<%+Er1s-G3oj|5kA-2iHt+cQtisDW> zLMXN3)6N1`_ge~yi}OlN9$7UBGLoc#BUoZ7(hM|%zBY_doY0OdH-6TgM>sn>H|xAL z_eib0*E@SGcl+qkmvEesYzKX9n4QnqItIbl+VFKY)d)d9CXrp2d#m~#GIAQre}sB7 z5UFq{3*zq2Z5Ycr^%xi%w0wNZ?s_A@4DWC|xBZM)o!RS}L2hXaw^P=llMPR-rII1p z=QMbtqpIYJgY<7|3I5eG6~~vH?Z7pBHCW(b_dE_3ex04Z)BYfoPOS3+sJWYfvH0uv z5{WN>U(e2fMcUQBJed4TBLHWp+g~62`Qtwa4E$fBBq?Q$n0u0sk+d@aMNcJ>ePPtP z7eJJx?_tUdfG#on??3nl{Tn)9f8-EilRZ?t0Q5*+0HPd}5@;*Fzxn9*=tVSd{wb?z zTs>vvn{x0EI(74PsfeW@yjTMI8Z3Enc}=KTU;NH#4%$}C4ba=3w_J<6Elf4n?)s|- z51u_^Eg|9P^Yw_2))V|Hc?xB>Ix15~8SEJcE7{`F(OEHTfHWWMQL7(FGZn3r8{Sm3 zN3i#@*HdF7M|GdAgBM-5GiCkdc`bL_bw0O`Ush>vX*`%mw36Td@OLmNlDqznk^1Ya znuNLycBODrXPbuhkDtFB(7{VaDF%7)ABIg)7jmEttiw( z#X;!B{cHzTzBfm0_MCpqz7Tu0?t$mB?A5J_!o0Jdc%Ph>TwN`y{wa%(T09{QLeaD8 zd-b?yi2TW9WZK_NX2g|#dY>_@KFe@93JsDbqC#hU>RQefWhnmz=-yp-it>5QxwR>p zpZdM6Jf3>S#oD(vuVf`x3IjDS&k&(E%~?i?B?jB&r#u5A zm|;Z^1~gy&G_{|PaK1&iPF_G$VMm~#$t6jbo)$u05t3}+jg=Ey4c1?67k7yA z0H^#_1Jn&xwqa+eUMmLjRkNRj9P*fo(32Ftfwew#psf4BcSrWml~_Kbo-zEuX*?~j z^Uf2DW_;b&dOb*;872U zXlGn_C>JUK)#Dziuklo@FKFGHmtfRdrfQ~?L&d||fj?KL218OD2+fL6V3qTI-))tB z=Fx*Nsh+iM`;E?1`2b4;D^waSFcuy_l{$BQbpLLK)AQ!ZV9#xMOK$PzOYQitM_(H) zf_ApC7l6v=l?DPIJK1e@-!H8YrHe#lVtAx=1Z`mi(lpDme{~ldz#At_gE~>Y^o6_4 z7DB)EQki?lo)jik=Vib&BZ;V-s=D)K#M|eXWwq3j7=G5qhu}b;5G0EGt~@tkD+AuR z7&icl8zGw6r&fA#Y5ZdP6w5B}v7ONuV>C08L(0Xg4F91U&AcctRd4D2_1?DD4548o zu1aQw^d{pcrJ{rOS64Fa7?vvfn)KVcjJFZHg7yT=SP94nPH7qv8}GiPB!1ca%Au2d zY3;7uS*Fj(FNw@T0p|NMqTtkTOPA}5#;-u)cV&Q>I!bm#>3!|^d}bhM;k0WnjEj)P zfAc->$@2veJ^lCsP`Kc-dvxFkf=r_Cdzc6FF$RbxF@S_FGis9Q|!=G9cr+rqVRGzZaI;7M+ET_{eKIle_@>e%bg{AM3I zwx1jp8&vm>MxU%-006KH{mJl?B?L`9=F_I*b8ii^_`a+&EZh>M;vYVfFfx|sWrd|A zM)v<|v;9wOntvf#DN1ZAyPfN7KT*olDK*Id!xsS`8?y=}VJur`J-X{7rsLXS+G7<0 zvqU&^UFUA}7>&YgKZsHPw?f)dUDw{gd6PJ?+_hqo!hGNh(~INEnc~veP+b?W2)8YP zVua-b6PghUpvnICD@FfdXV7u`9KHbNA;|eegp_bV;8ZA@G=MQ(ELVv6A#80iZ#8q( zU@UR^nScESP;UKLYy~gUCe+%VPB8s2d^dBc2>X}H}%3U`GLr54aP`>Md#B*|>{5%0#8aV()Jhi6ah$2~?HD0E$u1+P;6aTm-+7Jk~-Cl&BZL zcYJSXBs6In0UBs)h1-k3=cbDDqGE!-RSWS_5gxjrl4A{2_lGtj%W;qiIpOs;+Inpm>RP?_MDt)bdKBaTcMB2Di zg)c<+i7to65W13kJrW9LF)stzn@R8R_4E<9)Mk?kp5REa)8zmMm}mShb9GGK!_C*D z_y^A!;$flhHtq}HHsu;~s+C0B>8ZsX$>w8x394r#A~-{G)T`HJeTQl{_r&g&TAo<0 zKDBAk-N|53f65rV#XJ}o%MUv}% zYjb%)VcyP?Fyr)K!?_a0O5<5m2=HdyHlPjGxyCk>CKpN!OYz^UVE5k6_whyr*&g+1 zJF94qq{$vjjG@u@%d?1Tz|@wmI6aG;`OfcDJV!-Bd`JBsXT-5LH?C4PK||ejA*%=~ z%SGL9{ESwPJJ0q&KnsYBTemFySEDcVN`}1)%Q=!3GIu zJ3on^Cbm?#hpryVR$Z*ih()B1ighD6g|op-go1m;hSFo1d#E-{?eRm*Bm2MzHuVE+ zOSJL*+X49#yUA8_Ro!g;yF-N!3UE?j!R)#+e(bFTra=n`P5$pUgzzNo7)K|<~O)Wi}Cjfhq_}OHTKNk?b$jue*{&a z835d~d`H+`0952JfX$MnpBTBco&5+?&8H4&9%)HeMYF--33s6r2kKm}>j{=D30y~j z#qz%}BhhqW`s?VeIBDM`RDkAK^8&xALPK@(jLSyTXAl$5Eb`=9Za$bNy@?c0-yZqe zlgL9tLz;mA!@;0Wn7GI@i9@R$Pahrxdb=7)fvfAP`+RI{Uw`0+bQYsZcJ0G zMb`O?(yS%NA#UsNq?xi;qwG|+y@gr|^kUdMt+6ze2|!ps-dHxZO#NvLN&hy#eo{v& zjEY3gqXEW@cIMKX)2p6(=B01OqE)&%tlKYuQXbr`OwU?|chpVwDZBKVBg`^5KerhK z4I3%wSZ)*`Y7spQR;<>bv19BGT2&otS_%hO$U3FiUFTdtket38HmW9AV! zqR_sSW6Cx*m}{6dqmjO7&`N zU9#Lv;otgXi)(&Br=63hv$CXJ>*fd#+Rj2XFkUybCB-=z#P$q+Rpe0gbFnr=U>Ol; zVQMkr$84bMlHXghKhRM|~r#Yh#Q z(Lj+Y$OG{zOVQdi}wm`WKv8H8ZIq!M9TNYN+|bvqY?1%+ML%9%K+qtizbO!?|7FMt;*uiSS)@ZJ3*1d^XTn@cb|%sfX6 zdxijtm!F)W@*tGMz4{NQZ9nD(Fs$&`ct^nmY1UnfyJ$`BQlS~;3Zk~rf?EVG70VAwHNblL{|{eg7M>U@5k zfS9W>i+y{}!cwEnGNK=9_5tGSuv7z2N(8ZR-40TPl2uc~awlXV3 zg=KZdq2hACJQkUAVuh&-@(7@&lyv*PZ+0g>hTxOb$VP<_ApN9G&ovDU zCp08X*((Ffl(>V#B{9TMU}I`QQ7(qB1bdVWDYHXq0RQF%`tyIt;(r}I9nqCsh2WesW91+sGpMeOrFH?7UzH*WDrd}%)FK2*0sUvh zU1K`|NKk#k2lVBw?e$fN;1(FNE^-P!mTNWG%%OBU54dUGo)InRM0L?zQ&ZD7d`cjp zio-(P9d?D+hk_)DLoy~t4ynjqe08xJa>0yi?51SPs9T*dS-XWx?(olx^J?`nCBF2U zIzcUi#*>L|77M6slYXY_E~HoESxRy(2QPqXj$tGvg?+#JXKugdT-~H^an3+kBM2`s41acpV#HFz zEdA-7vbnC%%;)i`NIHiFEtKDfCBN=fbuI?hr`eY z>>icYA_7~BOp|c*;12G`uUUu|#WxKhCRWn}K*3E7)=_GU_vMQ71v2gHUDLYNRe? zp+^*FMN^x!OqBixtUXxG>t|_OcldzBP&%r{5GIob^PXyYRwgtuhs<3XXl+`eId*eL z=)ytj%EHB6ton!dlG%jttDc6CIc-sx(-^9?8$`k?D(n#0CoZuspJH*e;qlQvCTo~w z4-O#syPV7ja3~KBmpzgHN1_2D-}E;MM5C=vT}#<9?{iG>5Mt*1fPbA!rZp0UK3 z(C`XH+$2R=2$O$H_cpJuGiz8gCI^p?uRH*AO}NL78vDG!SWw@^#OxffS8CnfaNg!B z4*aAbeX?k544qn(30bmHDl)gh^b?GSNCqY*1u|u`8yZ88(b>_OStSu*oq@zZ)~Cb& zQPhC@--3UC&%SAE0Kvyb4?sw0kRjsOCiLYMP!aZ0N!CM|D}un)6jTyKorXEa>wF@N zmK|DgeQ3wZej#EBw1@}D>xlq;g8dkNpS#bBr|hn*d1K=c(89l+-qV z)MrR;g({8$^&JffvDVFnzGfjqzL$e&wxxHFaZH*x&<%IdFBaa>X$(!+0($nh1So81 zz0P+DJ53HuM?tF54)Ym-XGMGeqt)qOTM;;m@Oj1WkaqttS2mVw)XG`;b9qI&sx*>}#jm)> zKlWFfYlDKc`E~l*6QB<5;TVE|L{4iXCKrg$;N`tpx_kRU*CVNA{^sGL(%#J>W(LJ1 zRAMsEor+~&Sp<y=Qr|_;F^jHMXoG`Gnye z-0IF#7ZcYzYWpz)zgK)sWhB4rD(6A|)A3z&^Sy+g5jtt{edd$+ z-6%}>ADB=D@oT(k{z;{Aq|~!zX1GFSVygf^x!g9-4a3HZNZwQuowus|5;G)N4)-p|{1KT8HDZh>MO^r^N!T|=b z{)`QA%U)e=yE2Day995PeT;NdSJVnC0%Y7l`SJUwto&nNLcbqtKho*4kJFc7G1k_+ zvNHVkvc@Ew6Y%`)@hDNd*0i-m%Bw47Fw;kuA1o31CHlska)-G%3pe zRxD=U$+YW+E=zFYbEIYv`Hh16Nd1rXA(zP3C>>sE-5DREPMix3j^TI-=O>*M$7$w8 z$8;}%ueA#&j9Cr!wOVAV_RtJk;vI+)k8p?68ObH>|8vnzdj?Dl>)~$?%%j=lgOAk5 zsxk5cinBfuK5)&ITdU8%V;wdEIb5%#DsR#%DS7N|M2)oFlh~;JURVE7!6=Q}7s?HK z(3ktI*|~?7WiOy(vk)xQmK_EWvQFkXR8*$QnK)#MOe$B;zkYbD6YW7Mwd}$7Wu2!? z=#LZ^2CsHhX+o#pcB0nTdWk2-UiNbW1%kj6JT23uSIFGRf@P*jC@^lUfgzM?P_|q( zv#s{xXk2^opXmZis%WCuQhmmhvFX~5(DA3rJm$i+{(f1Ma$ycz5X1NelyS481Rdm1 zS5Bq8<{Not>5FlmlTrPD)-UVMq`sDUQrO9!(^T z5vH+Ii6h+Ss})>8?=m!4T3^43KuBsZQy32i`}e=sG5DYB!Q`@cc#|{F#kUU*N~M9%%Gv2SPG1vY<^Z4Iy2j4I3xyZH0;$|~O%ck*~)6E!lQ`vAZ;u}aK% z1>f2qQ0r}rGu4A%o_QUi-uFwhtUoc9f)kTQp0i;@0uVTzVNK)ib4&mmxwv8!Q%Vu( z9iG(^tgM>xIi}Hc+es($f8Oy#?Q?tix@ws0H+~)uON+RrVH(E}mT+vKGqJ%?)`RCP zRQAeyD_~`P2I9&hwNwh_Vq_K@P1MeMkYEAATz&iR7n$Erk}MS8U$iDO`F7;4FyyP6 zi=?3$`V*fsGl|>@ojC|siQ;}4vrlgtUCVf%J!bM3-q{wwZc$Lrm)ZJSu0Sv%WW^W2 zk0VG}<%s0(=@#3?)E3Csdm&+~PJy4^2sN9Gf_5!0VO8*y;Jz4@JQrG% z8c5cL+ISvnGJM#wgxl{q`%lz2dIWol1Nmzic}iytS->hD%)n>PK`4_>enXPe5-whT z$O_F8iVUDkdKM^;&O#)fB~~09x}*S@r2Mm<(|g2nbT~c>N^33m62`JI$M^96KoE-x zC$YVwE|b5WCh}ks_1V_0{a7t{X6O)=1vw}3M?>&_hF7zbn7AcO!Jn}#5icSs$zCb` zt>K<)+yKz8o0=kJ0$(?5!|Q?1%VSC^;rczxSHhU^*O@ffUVps(FcI0BMsOa`{+I^k z*D~kzC?l)6cY?kLa(9Ek_9t=mVS22)e5oFG>}$2+_{!uf1Re}iiD&^16OrPQz1Dv$ zwXS~t6rB9TI0+!UxEo5I9&1$y>!eY2>(j~miA!wHX>lFvC*F0-YF_c`qKnUz8w^83 zJ}Q0)qY+Jgp6Z!@IOnJhJ-^*&L{RSRZ1+t98Ln4V>X$bRz*OB|3jR81Gq3CYe~PQsGP}lS3`3(JPh7k)WCRzL1)tN9LCg z7f3#11&=ZE4aLanlvM}v>B%_rd2|X`o%|uGOEyxPov9z1k}@lYi9){p)a)^0@GJJS zUy%PE3AN=$bg2K_e zI$Vlr*@=dlr(b1UI}bGgZc+SRR}|eFI36~4kXgcW{-4Z<^sDx(W%a4G zxjAOvO534D%HFo_UP3W+LyH<@MBKon{quw!d2xCjjp`JT=-4Lmd;XX=P|*}0vMLAp zz8d}{#D*{ZW3A`_2Zt0&v5#Df@UQ%^CsxjhVXYU|ms~_+9M^76!Kz#iVJtHV3c6?> z@E6ex|KNJmc=<%H@;kv<##t*bi2!f#1s)aq^0uREfpn2l9nl#GSvh%rWgDZcGH}tO za6KyQ7S(TAY+`~PyUnR9)OTyvy3flq4I|7(u!I(kzYH;r_#6_w0BAb~4r4Ot%d>-z z5j8g-KZj`t%w}V(dKXh`rKnoskOuA;qHctHg1|hx8SFA=)>w8QcNMPPbAmyK&tDJZ zx8?=E?2I{tt|nW+;T@fj|jMY$7IR)L6-9HNOP5ahW`0nY?w4dxi3@D-k zR~*{KeT;5zkkj=?EwQ8SVN&|WzNPE!8^Q{#;Ums#-#7iv^#wML-?ehilUR?}*1dbU1N~;^KF_s5Lg!w}FM#&MwMW-zH?m3Rn}+J9EHTFG>VyXE?D4X?Pz6ojOg{;{7!$DYZj5{dTu zkZsA<1$-PeGsBYfYRo}Wh!-`4b1yb9H??~}|HV)#=Nmp_Av8cO6?>Rv3K@vH>hPLM4Ly8VCRj^Hnha* z(I}U~lvzV#!-H)Kld^iVH|lT=1+lltgyGsm+pcexmbA)ptMahE4<>~)=-1|7|)X*b3t^j z!p7vQ3|kJoUU9ytnlQoyc(D$0Lagg|4lzv@68hi8L#8QS0EwAblP`cv3WY2Yk$o|Q zJb)Y|m`rT%JJ0c~#_|5|>M(4EFMybohv!zvHg?HVIP21)2keOjPV34_hOVw~4cs33 z@1J}iIcGEQolkFn{=#8qRerA!N;YTKkZ4U+%Q<#N<^*HA(&#^irqGofLG(_qewI4% z=X(c`8%D5~SMoKt!HFmOWtsGr$sD7L5dQvjUv;N#r3|5y9HuxE;nucpgKpbs|8A0Bi@RXKO+57UbeZ)?D-tJat+fxp^$C4{Xd))i=-1kC0t%J8x<_H<* z>;q&PG*W|~Ok*0adYw2^R+gh&yiB|uu63*>Io^i2NZHy+LmsNJ$rCOxJDG0#in zr$k&Z%8q{IP>ygp#@of?>`x>{WpQV(&0m4DhwnehS@Q4 z2#<$>39Z`*Int2RBvDHGrDT<%7qo5A!qt=S5hp5~D8=4HgVy$v6?=FA~$rBJa>E^827A~R=LL0v6K+;+`Ry1J+oIy`RLt2S5? zD-R#jvv#=v`KNFa_39k<4!CR_4;f5(e$s9}iuy)nxVy+|RL4GjbT=tkF z+1l*CTho*}$eUX;P~EdPQ2rST*dvY2&8{=V^_d z(jG2@7SUt39R1S$bG_X*nhYenfByY+VL3uKZ~A(sVr^9lqvJh?7XJ1@EG`LyI4-sk zvi~Czi~nMJv6Ti+2Ho`P`3}Cv2bKt?d8HWrw+xOO0BC0(JO+3Gdkf6rwp+YLoMlRR z3uVyG=#LzNgFz!c-35X>>SVdTDaHlp-r8*dDyoEjT_r~ZU1u#p$-6fSf@yYmcIFv( zJBob>T}>wEk3a9+0oPc+&>$xdU?!|u-L9Q*do=8MV!pj$@H_rEw$8I1P8j*KLTK`s z$)!v|I#^Fe5$AlcsO8nMKI;Y(7Af$JJyZvAn)5)heO`&)t>=YGTT=jfkrfM`&jL`I zU^LEnM-wF@V=Gbui?ShE;N6p(fO3h9F9`0cEQc@p*Enm? z!77-RPQVret3(GzD>2q_>N^`r=XJO=@F=(O5TQSZEXCp)8m)^Li1Aew zo~E6pv!mZikBP{}MdRjr@nd*HL#&7T8A{6$qkoz+9*0@0K3FU91t2>cRC_!(y|3>Z zLzPFlAO%|p0CnHk!Wb5BBh9tUp3IFwd3!Txy#91pk~=@8En(w|iBF$pLMRb{YvSe< zE5>K}3nV1G6Z>HU?TRvQv>x^_YPNc!)*K5eH))Xk7CCD%f%uAu)szYGq*kSV z)9(KHhp)pd1h@=_9GZZDdjIPMTO6!WT{BZ=!$iq4?u-`KB&kk8!gTx%T<`+WuF&Ax z;`v1&jqlQ1qpz<=RG&DRCTUOu^GNE#C<>!}qfs+`T*hb~eRt#NVc%D*6;;%+hu}1! z>O%(EEX*OhdIeAWC5&!GaI7AtfweD&nVkL+HmG9d23QDqT8xFCLW5kVkmy(CDmx7$kNrZq(2E#9a+|#+TkCsB`81ue|cfOYy__J9kj50kS zP+>Zk-1P2D#q4`2LK}2)g!~(RXfLEOLC)AErG{x2B61m-eQ+pHLBLd$C?FP3LMd(C zU&Y-_HBk2qE}|3p(|nmdjJ-Y%j1h5`VU%58&V1GszBZV0@2DLc%869eg*0sJYC0B_gXijjux61ZYpb+P?cAoP(|Y13La6-kS0+hONwO z{%&8jRMRQr?0QP5U??lc6UQ3GXo6WHFM-^fBarPoLGoKNg6RtY2~g){VqK_n_tw6& z>KFyP1$`p4N~`@e$|4hjG`s*#@r1gfZY63J?qT*JZYfIUhA_UWy4@qiBJ~s0Z#fR| z3a2@c>vAxk{qB9AVW@8v;S;b^A*kJT2m~ZMA}%Z)WRW=9Wzm`;%v&>%jkDEW-zt?`V_&7*E9h8;IU6uO8k zK$i1X)0nkrjqmSHB+00;aP6 zB;v1=>;E4kQOpL*XkU{YJyNV@O2-B8^z-J%miR+0fWE9h9pAZ|1ZL=bkvl-0BYJfy zcqP$eaL#bheg%H_>}TT{*m_r2;|Fr=7H$_@4Cx} zFZ<{o_$*Qh*<7v)p5rC{u|WZqzj1Xx8CPubGH>bpv}B9_0H4+XHz{$v-}FC;wf~Ee zEl3_T0g-3l!GUV<+CYjB=ldWO={JabtWb|7_{b%D?E52cS%qV?<=jIl43fX;h9ASO zhkIazTAX}9&Hlq{9rhBWk?@-g|&Branyt+P!e@_<7NurCOZC4)|z>Ow%kn6HYA zOCw6P(FnHvF`>sa`RSP}w@8bc;976d>l4)k^OlCLZ!p?+#KuOI1-28y{f_-SxW#22 z9J!0J5WKEAvw?1~-RPX0uAQ5}ov7MTNc&(fH`r)tWp&x&En6p7Duev9?2^XKURlf% zp`W<$4R*Ry>Dn+MTdxOpS>0s9MxvSK4BR5Rqf+zZXk-35xuW3^DruA3#YnMc-4`8Ma^dJPj`e&CpRW6+972NP4 zP4SHxJ5p0;AWUGC=esBGu7<0dbXEB_m)9k& z^PwrLqRauVibT}s)F|L3 z_vSaInnJ7){A&Up+`-+uk*ZQu&Z8(w0v_1R>lXB>79^U+QX@+Ysi%g*+?!n~$%r|W z@?|W8Z{l1gJVZXNvv`oJiTG&1TpJkHO~#f$T71#svA4TFe~tkL5l%;4oE19>V`fj3 zHK#!Gl*v*yAy^_v%k&A$>oKuB6chmC@A!G6Z5cR6AlF`oXu7`S#-ve)8d#?Z`$i#7 z>!KuuhKwC1N({E|aH>N~P(-LBN8>-}W+5QLw%bkLzNuH@D;KmHTvw`z7Pfi30l_Of z#o)z7jav7kNqiY&7ZikTc&+NEaO=}6KSk5r3YlDSf^+3z&Az5_N<+YZB zR}>j+eO5Y*8j8)cWKv8=-<2r@-#4l!XfsQxEyWG;2Y2*KAJ7#4$gcmwS9B1!XcgD@ z4vP3a?)R_XX*!WV&P4p&3P9zBrVBfC3xEby%x#iKf3wvw#QD{83>!r1OeE6hQC_bZ z>#mRY){!^CD9x1kHG@T!cvV(cAre9sHjND!IDQks}rFZ9rHvSWTGeioR5B_~xIdYa6X$#Q z%2BctsyD%gAZ1^69Rf>R#|jVcc{ZQbD{5DM?A)6HGGoCXw;h`p2>L$!Y3baLhS1(= zVmsxC1`?ghDmAg1FN3XDNX9po(TTl9c;2UE(2WLZrOvsy+YH_qz;l++E z9?L7$4$Av)xiAlp{i1j}Miv#tDhr?vC^*v8bpbjq3RNX3Mvdlp1P7 zsbXYh4_irPzo^p2{RBG@iPN=eCmane4mvO>t|G)^Coci4o;s z;~MO@AHaEkQ)u_;9aWxp?&_+3LAqt{P&a%}6I5VUr?D!1aYjMoiRcBq3`rOxa0X}T zS5g?J{M@js(x)8O09juzSMe#fh$h@ojoP!kwqNQMI7x+tt@U1EqK9uT0{o<-G6Mr2 zH4)}=YEE@Id4DyWLS_)VvI1rQ3Hy%qXY)Zavz2I8g;Ox0SwYolR!x{l_^KVgTx&GR zipl8ecc=NCK7oCqFXQ)5?<=Aq_u3xbcs6`Cnqy)g+)U5HxT7<9IvGM$0h7WkIUvlH z+SVOYD+0oS1w*vN@iB3yj$*GC z4^5oKl>IF)t(-NxyaT7gTAjI{F%gwjh6HeZJ{#P4+!T?s9R1<7d#3O-w&kD%a*y)w zVk{liCPp@u`~he~s8EBwW_o+t@vF40fpU${<24{EWIK*B*-&8*5mi1v6e!}xfq{Ys zKSuHylcrjHk8m**`J_e9j1b8@wJ$dqccT2SzS0Pb4%3WX6 ztmB@(^_JBJk%As%2r%xB_BjuoEBBQ@-JZ(;HqKEs*S})`ktBgEw@-$l@l_g6jKX33 zXXZs@vPsnccd(29>bC##alk?=J4+9cH5LnhTrizk>X1H52RDzcr30Jbp0Y~9Z*eqw zh`f4BcZa)&_I@?ef2M)B&ce8!wJK6-E8_aI8De|>E({E{f0|iNW)F_y65fOYE21*v zAna$1(FQu#jW5%J>AmV<-5ILa7wn0#)nbJ5X0^-mV?n4V@mq(=Cnw4*>?i_eI zT5wTSOyHq@*rjF>g7S~NVJnPhcS~N!EtK^0c^6%m59ocpliG%gnJzFGn8DE}t!a+B z`P@m0!Gc=WV8w}uB8*VAm2cI%6F+ZY8bd7!ZipLMHfAVwO`ss~Cvm@dJczq>p{xyE zlnGFxNJm5r_|%=L&vHM7mjf!)(aVj(tVH)dBWM5UJ|=01%Cedrs8!kcjXcuqf^g$~ z&tXe|2p&uTROg<(Wum9_($8^gn!27LwTQa*xR`K9R!8rH*jtAb%)Lm|%>w)FhA1SLDM;N8QKCQH9iZA(?1P%7RrOtOq39v)oKUHWl)s$ZxXqqX-bJ^rWUx}UHlkqa^slPsJd5nl<7nk29-=pKb|5O9dkAp3 zU>Vo{xi20lcIzUe1(sA9yTE%7V&+~%b!dz^zZ7s#J^A$hb=tiB9VXingH2Bk99g8` zHB0~DQX9Xe#%o`Y8{-VrCV=lflz6n^sr<$HMcNym+N5UoBsYltGL`Fwh~J#t@J6Zn z72lT%S*5JHDz59<82?>($EqLw(2Jr24jCG@!kq{}V=bM&3lf;zqO_7@Xy?7BS`4SYiB1ahsR^8IET|0WV*f|gU_RYz6 zlu%Iq<3yf@PZsL0rBXGjKCI3|X|OU$#{_&^$>8qed+-dEbn(Jlz@{`jp^iu2GzBfm z07L+hP(1wV4wJ8sc8h@fKy=-ANpC2nVEvo=5c^y!5T;jiK^QyWw|3rmZ5X-!y-kQg z>WZAl<7W*#S+CIx7gODjVcVNy6=-!VcN#$b@;sZ_a%Np(uL(z~+}0%sSomJO?!a4* zxf;jD*xR;{%TEn&S{`PW1sV7H_jwVz9jW#Q&5}2MXeN~+w8-j@ZgD*x7$>U_kEFr- zbeQ7)!H!j>-3LpA%r1_gy2X(tW=46@8fU)YT)T@BRF#{pKwHmjC<(?rx_yQ(UU2vQ z|c?NdGQ@B})K_ACOsW4akjI69q!7mQ31{eEE;`m_?Vp?F0}3tMO(xF+TGV6b5+ z_TVl!7I0IL+9Dvt#Hca0zW?Zi1q%CY33UEo?ZMhBk1A;J0?=5uTojCEFB~!XRSNxC zJ@lveHrh#AdjBcbk^sJpbu!R8&wbq^g#+Di^L-j-BN*WaoB&*5$tE&(eWcd*Pc4+s z;!zOu8V~pmhT;dEQ>i9$dktRHx7Pem^-GP=J+^(zeyAR$^leDjuLK88wMF=$5pzxT zvfz!;m|i{fXW2Zcj_2x)7I~+YL~zS7^nO#t(8GQ6%29#Iv#`G?mrdcpOaA=kZpy^5 z5FTN9sipzOR+5{WA}}--tQNd@KDLsRRyXIG5E9AEx9)Izd7=v97rHj}|1_+$JroNc zJR?4ag&xcosUYBf@1*@UQCU}SQMZ@1@A}sQN@^fI3i^!U!*l#4PM*v=bS*ud5TKd= zV|`3QOjRu*Aq#*@X?m{oM+wxlZ3P($#1K(uBq$MIKu&wpO%d*TqDpx>CHE1oW_iab zK(c1%ieac@OCa>}L_KFJbpI_UaIw!^U3qS9RXMzzt-)dN(NZ9|VWx)iQc+vNiEg;A zgFBKcIz0SR@xQV6mQisv>$+$o!QDH!JHg!(+zBoT?v1-k&_Ltv76=;LEg?8GE{y~y z3GPl#fBW2Z?#g%f`PSZR-+jh7W2_%N#+=<aCh@J( zvkidPi__)GGhY;dxADT@2zp7In5T2Qz6Nj(qx5!Px|@~z0wQBrgI>^KB~-xy>q$Y`lu2Ru;i34D~PfdvtPG|zTWvtwz)>n ze+EC^NMUrkKOkZ)I#u>v!gO|gBTooxi8#u$!_j2PYIsGKYx4E(RBmi7;dDv0H%CIF zVQ503XJTR=+>!8P=Py8Y(2zr#ikE5>-i%PMr--R%uPn5G-5HMD)_UGy{XE!~-lq7R zLq8mGg5rIrr1a9!G87W}G&70-sW$=m+6!RQ11OXBek z6Xi`hseMOmfoF+ z6~~eAAzIqt=DQElv`~`n zsovpUIApR%+YWcUp4X~EX?`AAL|EX$ggv+rAYn3gRAE4#g{)Y)3WPrPMTd9yBL+I@L^3}{;i8#!l-PId z{fFqDCJ^H3=K%{Jq}Tpf1*aWAT41lJM`^>H!|@7xXKeofJ!z4}N?9Rk@X(!(o42om z2Ypx8Pa+qpghZ!vYpc(N@5x^H`(E=o4l3LeG}rDOpRqq{<~R355otf2DMjlmKd-jk zw58!mm^vChTegLA_wsYfAHgvcv945A5?Td*Lx?_?I{*!;%P3ml`U4ZWero%m6cb=;2Ky^n}~X5mkg zqdm(y<(B74983O9T5+q32bkB=dxGLOr64a=qo5MJQrv4chY>m^pz*T3<*;n*Rv-##Lx*Eu))E@8F1i{`;m4?RyvH1ntcC9!G{{cD$HM0`03^ zC9w1>&uwUYL|fvvu!w8sX_3o+6Nsntx4^)L$(KpMJ9Tma-7w6^lLYqxDC_o z%g=e;7*3HP_n)!Hmb)Fy5y}Ym4=H|BJJLjtC9OcnLgi-}6M9)1TnA~;_f17rr> zl2=jb95P`dxlQ~8gH?llFUel-&Q%qp7Wt43(VdOZsSbLsF7_fzyx=o-_rZT#oTCtB#E%~GR_|v#yF+J}4EMe2 ziCr3oQGw5BtsGnL3#^3>V@zfbvGT6hY>9s4j%kD#k>Th9k;Uq?-^wz+dhXqN+j1L6 z%b>j+c!sv^U$Pf_QE_fFy?kSJtk%LzS5It-63X{1TM$7I5MTrJXzF-|z^zC!ymK4) zD*M{plm8H+>Z?V(M%CEd*pbBGLm$fM@s|0j?F|+dr?WGbuvZcL^S6hH-K`z^jChft zM35#tHvnlXzEjoJ4)J7q@Yw;%)kr!j3tQ-{Pi2qTTdy%BUlY&W1R5o=KqQQoq^KqS z&_j$wczMQDm$O(bELD4HV_7J=UX6tp?q~=JZk-jK1)#ujLd2}$*kAlbo=4Jl6eDgl z?rX#YWD=pRBy82iN?m^Z6)78;Y4i>&EP5_W{pM65BQOeMmw+kjqN_a-_b{T%$iz&| z_s_C}vFphpXX__!v6`b5OMP_T&jk6uztO=J(gHZ{1P{1O@MML4k-Nw2ck|hm#T6D9 zjvG7f%7bpj{i7#Qdyw&{?MLXiy;wgU zu=t&2471RdsEJ!2Igb{b|4Y;v_9LgAWxCV7i;g6q48;zHjWETaPBp&GY?>~YzJbh^H zZ{nK4a03VCg0x+)?&e~xOzDzj&44B+!l$`yKuXSG1X|uh2~}f>LpZYfQ7UJY`vRI8 zv8UsGedZ0bYH9(Oof)gkmM;Rw2s;zU8K<$Qvgw!(AgOXgBN^UkYIIZ@H7+0;4$qJY z%6gcFRF&R}Vj^7)ohP*7R2a|Mu$2r46}g)kD-GP9q(IH=A83Mv78fFX{UfVLRP@_Y ztph`Igz?A}1Y}1`RqHB1mV+na!5d+$;-uyot>Y=~xLQRE>f!ply@j4UBRDQ45Or~L zNT2&$pa0c#I8N(YWnUj{o;;+?*XHCw!;aYvrD>6fkD2dNV!BE1;u5L%p!syx8acKl zVO_f*c-}ssPxv-tuhzl6tbq0nFwL9D0*f$0(w!*?N0O%Q&|kySvl*Q%ZP%|1dQ!FC z_?8t1#YKb9bx5cu$EB9osZ~wK(SgIh?MSN;IuBC-1~m* zk(rCViT=Iu%m*sE!(sJ~B9GP94f&yM`~f+Ni(STiYCwA_bqr*$d;Cr#vTSspF9 zNDF&Uu>Isg+UDBoJbAYsBFa?h!_LUC%QRe2^hE99@r z3hZncTFTl-{IA}!@Fz*0)~9OkC&;?ZfIH(2C=F+}YzcQwcPe?fqOTr`+296H5z5Kt zYWc-JG;grvoR6&SD*n>--a zARER{)gH6?4HEAYpTtATEFmeYc3BlC(XXLod6hk2aZdiwIz4aPr*$bxzPQB(KoG1} zGIg#WNveoaXX%&I*-G-c+&Zb+ncNK}H3j*8;0X~9WBPLi@YBkmsyV|hokw;PG#Tf38G0*XI3 z^dtWTKp~&8=Zw6CQry^4=~X2YwcP7-+`KL%wI;5ImzIR*2BU2#vdMwlv~XS&2t;JQ zAv!e|8*VP-pN$|++{`K`hdZjMh@76J4)FDBHZn1J8 z*&0KAC}L)sbP^8=SmRZQZ+)5x*M!);RoTp?TTqZFvpr336gU~L)dcn~v3GGdBO8Wc ziP<$i-WHefbthF^&%se0C=ZoKMixAb@y~J?c3t3aaivQl=`U8tW=0>?426T$`(X~&^rHdS9)3d-F>x(3J9Xuo0n`Ecpl{|lujwT(h2Xi7jj`@DHKMvKTFzV*B z{90fLT<@F}UX70kRBU#8o+PnnzJ8i7qS>H^yl2}Qo&*E>#Y3wztQ}sPa1<9C1p_4V zFB~6Exw0ol9O=q6xmrkiFFw57=rD96PIqy|;~{leX*H)@W!!;mOBSn*KB3qtA=OkC zFqHW;A+3B;MRE&9Qk(f$UUbTrQm4c)tR+X53psxvhs>n8Sr_s_nF+|J0+qI~+U%VJLV5s2s^y2tDJ)b;Z27l6i4OyPxN zS*W1pTk7VHI%UU;Ub7&sc*XbkRy>4bqadzOcK3%HyVExFKd8)|dcJht=@frdU z7v2U3u9}lzCOZ6UE&NFjhQa_W1_g7&%9QZ!^E5u@sBfN+qp6TL{fQ98msD@@4Th1k z37f_WUY&hXiL@&QIeM9#e^<40tLfXz=qE$LW}CuPNm8K8Gxqjqu#e%-mhVG~4Z7x1O@uTJoMijks_` zCyCLBEZ>y)FCirO^bJbd&0Up>HN`c3hPL`xf%(Hf=^+UUeleE-v+$i9md9=S)X+tJ zK9M8k?3Z7aUbp_VpO@-#ahV2P1D2(|M0`(`*c@S2Mk@#il+-8~!N19xhRzzPAP#k` z3Fz2-p?)3K7nJ>kkd>x}qyGiygIGZ@LWaW~DqeCvxo!Tqp#j!nJG8(YLL*?gw z7}=w9EkmGf;Sc#h+1)6$AC-xu1frLOVEz2-Z+0)%jW16Dfw)mcMnE4xGk%|#7@SqV5p-wk9 zS%U8mSl}B%LPD40-}G*E2`@-NkFIs` zmq+cN;WE8JI!>Pfb4j8dYT^}lmPVrEIwN*MS)fM1EkY_LYb}PyvL8stFtdxqr2P(TL<{2GL$JQUSUwe{mxeTCP?(uSj1}&`FG&eaE;3b{&Cb(1j z5Y!#dpxJeH(>J#?h3@*h4L+2)({D3wJDdh)Op~t)YvnenX(t2kN@|WTGpU zO?AKZK>|7Gvw|HpcT?ANVXP97c94H~=+6H%qMhfIseO9JxcEY@BZj_lVef#ib>cD~ z+Kub1+)mTi(V_w{)mTrvWM6YFMTPM8>3n!|&wTzac7Oyd8soNqQViQ6ab`U4jHk=! zTWu83T=u0jntT7KgDLp*NG}w99zD3Om?baZ1ZWAeL6dO$}!))q7cO?g+ts@ zkObk|+J}zm!(+TTi?wHs?`c3{@&^Gj)F~yWh#)pIs6e7TU0m_*<3a{NBm#>o=WfpX zL5WjuH(xD7+97S{Gl;ENG`}mZb&out;<7u;)*+#Yx8&8)7Msut+WP4vLdXTd;spxc z(z^ZoXu`w5;WXAnO2GjFShy=M{i(Cxpkr2ZVOTpteo^ZLa*2M1$0GBJ_xNbgrTW9J9LjB@at?>(3QDZc^!KP$!Yn zcvI&Tc?uk2ksv2|tv}`q-+!@d5at^zf{a9P;eC2skCzDAxpSxO62`_xIuBfMW35!- zjmE>R6aD-}!b_yN?x*~2B*+1MEREfl!9u4cC+_ssS-5>`=Cpnv(Ot&d}J7w4;1O z$uC_0Wk#t<2N^RUal-E!K75Kj5r{Avk;be>TV*PFII{zMu&c>0HZrt(&oe|cPnc*D zrPM<@B(Y+IC5-p&4b$}I{MY2_&n?)bhAW8ronc()ErC4oU3md6+7_qUIsB6lHv9pG zmoPy0T#SkTN>7h!_Z*!8u6;*zjU$~6bbBJ9kd&tppf;KV_MQ;d`nFhC;u(rwnLz=i zq_&9tXr(F$8j&-FhVMNFDLc6dc~tfs+V;f+H3U?MxQ`5|BWVjsa607N2XhVB&3I=G zoBBK#N;i+n5TEUj6jE-0OF&W+91yBhE0H{t-&ODu`)ouZx26t&wTsZ$U&x+>f%SdH zHV54~VM;!y^>t3HBUOTTA9?vSj2p6Ikfgsqzp#Mw#fhNGB7TgK2_7R6GM+q=-;t=+ zHgD3@?ri|fHD_W-1uPM5g-@skQMs%|PQRL2RuWt7|F9ayWJ)rMwH=P!BPn@Rv?m+- z^T)332bqMzEIL|?4pm(t;6oI|mly5|TH?iNWQ4*fZ^D88iBf#}B?yqb+)7B^+=SWN zBK~UlD%>lco&=`=&$UXBe_rIWMhK6!S5kTy`jqEf6zspS8YsJ$y|?U3a$ECYpsES$Hc4Jqq1r@OZ{W zD;HPt&=sgIIH*Y2ejC(>95j}#K2I}KVqx#I!;G#vK-I&-+$WlNrv<8&PE#=@g~ zAFTbMRIs*VSpnOj@SQLuavW}hxm@U2IT5T! z&`lneCgAo+D&tG~p&m_HDW=$VN)6e{plb z_vwwvti9J@#1^hEd|y`F2wdRWBDmGYB*}cUCMf9C#1)=(*6Xw3j#FXpXzz7%F^6rXZzL=o1cFDxo^6g16&sH^yDa>uidwXsDxEM##Dnl5$8 z4pqJ8PgFkXWZO>yOVOUu1vc@$w1;bM2IKQ4JCJ;15TL99P?oBw92cY>mcsyT5&tZ% zB&6Ez^`gCw0=|g~{s*IcW>j~$9Bk#pOTnRWJ`ZEFP5at<=&Pw$(*vcwl-$;ogULz4 zAd(>=zBcwo{3Oc=A?{MF3uG4G_`=@JLJVrwSyjf^@Q@{HGt1U+Ke zO@Bc83wn)CDnal+;$KV`1@rtB38b;S00V}G|2t04?vq!2nBN|AP5!dtE;MC&l!dGaX z^Z>5UuoY#o>Qe~OhG-{-CZSMS;MfcFKA-QZg|57{i=eExwjec!>PN0gsD67}>Ms5p zw^B}>x4bCk<=9wv9IS;q3vZ#?v!*fyFotwIGetul*QG;+30Nrk?_gft=Z zua7UWD@j3i(;7ncdNL6@B4ptWv9JX z>f4^ZxVY5EBZsC!tLAJ55D^5Jl1ez=d470ocmpHpSiv~ZVaR`oy~CElw8p;xkKW5c z-`!@RX{EL$wrAhIsq7fOg7bnJ0tLwc3fth+hMjmd$io;hZ~N2RZJDcazo(EarzZ?b zSfi(YJDYLj8{NFDl z$52^eK$3T^+Mq{avtbo+nw!$`4%s$ZYA4b+kKJG*KnKLnjK0zvvV&GqVR3@`9lOOK z64u4zQ6%>7Uv}F{!bZtQr=LBuVM7KRJ&iG*qjo$D7Xm#=5{rf+^dKpx^eSZ84 zus^U2OMjEs;IH6RZf5|_G&Q4@pMoCQ*04k61C23rhof;qrHB$?&uj; z1Z3|v&&S&O{j9JwBaoov@Fu>{)m5i_aM#cIwth zbrm7gvrJ`8ByG49Yef7|xNAgRQyDe6Jy`bBhmr2ep|kx}HYNM=AoK6(^LI)CQG8`f zZy1uabBHZt*H1D=-Nnm*AG796TDh0>Am$~bReAw=sHQf7&fhvMWdY?9FHDnAYn3Xz zvW)Wz#i|xG8sqF4vvJNzm;(FD1Bj%1GL_*v~e5m zvtD(MwL4VqrC~RC47$xhe!GuzOfj1T65JnZQ&+-xT-k}*WTjO@OS zTVm~?TKF)fV0#k?Sp5Z{?B5kt1MS@e_OVxeNLE#fGT5CUiLz=T*BxD7_ir<@2E=++ z4P6-8ulhmirnAs(8Vj#*`6{IomFZl?br9?^wk<3Wj*aIC4DW9BUOf6A`B^5LF@FM~ned^(TsOxcc( z8Nty6^(S)SW|vt^fYYOs^HUExg%d}z%ZvAU3T8(2*)4!i_Li zrk}p^`EgZ_9G7B3JHbY_?+Get`19$1R+ZGua}D(Fk$zg)S{ACAkAbPjEnMD(U$*Vp z7rvG8uqtBA%(Ayy4KemLXb(hkB#WNP(Gy%Yc5PoWh^i4 zsXZt`mw3|y^wyxIVRB&AZeiDN7F6jNd1JJ`CzgI%GhGZuDfFQbOnff8vZDn*NHTmW z2%j+F)|YJX(vl%_o3EzKaj7##XXQ+2pW%2D83tpiHpseu@Rs_U?#bIT>U%k;Xvul= z!8w22vRjVz4ByM&oJU33X%UM*_9SfXX2o~@2SoaRPd57h&+q;@qW%bRmRRm(Z)=Kb zg9FMN^h|1cDLRC@2xo=;pLWDm7kZa2Kq!`IRt8E>I=`?r_KKcH9d&AQPTdt%8{i*DHQM|qQfmo`< z&Rdscm>9@m{KMsJ&xtkcWo_^eU6;QvoLVhIF(0t##}YKsy~X&1yG(hz|1oHN0_MNK z8hlYw3U_kAGwprqQ;eUxcz$9hA^?Xe0(39|GQ0L z!K>fOR@*UMH5`3edi|t*4V3tkQDIs(zdsL+L+jPZf7ixBqGBdVe+WL1{7LX3^`i{M z^#9Y$^`aOSO!z;k=l!2P|1YTZp|QrDhK;S!OtI^T8F*X7?Bsn@>Eu89>fedy-#-Kt zyTABgE3ii2+%a=uU)GF=uG^k_B$cKf>cC>D2fvK+tZmymi}(_@f=l3OD(YN%(66zl zpzO*bdBtgDI|Cu>F=(VK`K;Zn&LZif?4=!y>=2Af%97iIU^M>(7f-16V zu8i@gd523@TSxYiYe7<~YY=cf2X_v)# z*v}d=eGUD_x(am65;!9wu~_P4IP6az5b$IaE1%>;j|=J-Hojc3N%~rhx@3;X(s;xb ztS~rAxi1ZSTgt!1{PE~hdY4;GpdtT%x&!`4?)P8lq^wG&Ail@0i^SdCRb!ff!5!?l z6?Y-1@SVB?JGg`opZHGwT`%2A;0ARaI9GD7+WO~R>iCC3dk_K(TiwvXz_e1>St{z4_Ihv$c0A@IxQW6l_geW5uNvXc7?g_{*+F=pUl#*U^m;v@w^oKACR zX(_7oK{BriU#mv8CcWAt3PI|OqGt@6fVY`1;TFV5r?bxB4aJ1#`;H9eU$Cu=SfwBd za!4Wut0K8faOHK`O#wnthQum`m-SoPXLn}i^sQovcBVoA!GZgD!r%fe?)@0^R?hx) zDelkHf|{rt1aXBeSY5rByQwv#z^uqn-d}(Nze+KVRgd}@W9D3^zqk;*?dq>0wkJ97 zAfdYw+{}RPi}iETSACMVilfv2yk{Rl6<6hRYa2q>{e0RwVv`w^`E@XLmq+=2IM)9i z|3N5hpH1|#4C)=EROe^i(geL4kd2Ft9dtW6=+9{&^Ki&g!t{k`cKO-6eof&)S}EZ~ zMh;dW%il!conJUi{N^qIPtVOV-sCwnglb8)C&By^Ah@qICK|bpfPNw_^O@? z-WEwmc4gz!H%|5mQqj46V`8=XE@IC~l3k)7pwz_XjG3d*w!Q&XES}-rk487|N8XVf za444+(g-l2)5SG%iqsu0)bI@QG0k5=*cjGqt?+$Z`kt2u;u>wIEf4r^`?{_E?5W*v zt#x}7Gbm2iv}hsEVG(VvU_7UbQY8;W4C_M{L@Mq+B~uS*M}dV(6<4RBj!gyKx@UnPOmX^lP!4Nth1 zm{IeB;>0NxUc_}soR%7}+9v2>rSog-|#^geoo-MBKSFOKYkpmeVQ}xP8i%) zL%225)(<9~yf6(7q76Hgx4dJ8e}Pl~Ica4u!Q6`(&((z~)+Ftkatm55S2J)8Pu$QR zb^FblZ39JjxfLNoOs*7QH>KBZ)xvi<%So!say2ZJ@k|@Y*u3d7Ao651>t%2`#nplX?rdt>zeSFgmEyRN?)5qZ|IjMMVZZo*3)K`n6@{kwhB?S zSzxebcv~;3M80Vl392F^?~Y6G*`Fz!j;G@PUh`(KpQr5DY1%y;>NQ$o0f-B(Y--3i z3QL}xPu=Yy$_J5MrzQ7NO0afH1(TolPFLafLG-E^f*nr z!YnAWg$9+qHgo(H>^?P)KO6bF(^$u)-9LhYSS!9&BRu`dXsM{)VqqhyUab1_1Ov{k zvN>W>Mgnn`K&QwnB~84vxUTR zw~|^yojuq0&JlRyt9sKTuo=ukHQ;jKcA`;+-n1PF4G8VSg!pttu%pQ@T1&H5H(HYj zQxzmN26iwTkszdzMjppH*fG32t$8$%sFz9WABWXCIk7fwLh@!0kmd-Jp#A#+wvJHC z5!AV*mW;DPmkEUYx3x_w_LXv89~6SfJJ&QndH|&-01y&$NL^nEX%>Nw{3&KmlBfo% z{#>y}I0uH`C$AzvWf1%J4+)7s{lthX!5UbAn!KNa8i zD)|Q$TbAK^)T~#Dv}aSru1ZP7&y2tYmsE3=nG!P9{V9@+Y=!s||^sH@v_#x5` zuv}En3$kq@IZX1irO7i4668l3BtvLP@=aVI=vki1?AKUa9Wqd$k?wv2Ovqgv#eTU! z!1qVz^*kld%9cn{X|am~t^_{}0tneVY71zx?Q0w7r$l~S)7V-j32sQgYt?jh>i}T5 zB?Y4c^^m@p_4W5y@nH>2<08}Uk`mtvVKW*|GHpdy^VR>a7Dfv z(8|USsPMv4FrCl>OQedR?KTm{AxE=2njxVuq?x}+`ZO@rz_r{Ff!RXx3t*RU6a13? zw!JZp1f)+O!tMVxbUok*%kalf8CI;_Il}kY(I7{z9m5rgk)wNlPMO!C3Yf5HBiw|& z?B`1lbeT5!Jl;TEKjxv!TLsE$BKYw?vKajbJ_NKdZE!7`*4(a*eF)@yFCZ+H;5Xlk)m&&o999 zvQJS9(qQfnq|4=b0$y?HR_a2dOd|x7q2{4tSWf9)Zea!Uw1&~^O`E&yd<8NsNS-~RVlV0kuBp2+k2SRLyg1;@uy4p8{au)Hip(!xH0xtD{j3yTJUWj#F0hq zx9a?<)8O*WXA{m%8}TMF>p>Z029|K^5?rwheuOF4O&8ZC4DUfiZq4XzqeO7rHG(C0 zl8=?2#$aN;1xJOy0RD!s@I{5h?~P9w>e(P~T2vo**2O5W3{)Eo|T$QCDR5& zM>~fZ?K$xohpZ5acNbrE{y{rK67n&jw}A!_*Ti}s*NXa0?G;1J!Agn@K|ZdjLY`s9 zd_mn@4$-Qb$$hXKa1Vi2BK5Zi`KOUV9lvoeWFl`|YN5e2umQ<%_45>CZg~!G{DHBj z)02yr?KYN3b`TjAyef-5U;2;g7WRFzYjn&yhjlDDBgD9420)Sdy;yXX@+1zLk;Ra= zQ-s^7L2cR3B2V{%;!BM$EXwou1K{_nX?zOZmy6jueES0?;2*^ujv@u;xrI>{KVO=! z0=5BZSf=6I^%c2OC5E$3tV^wDz5m@S{kf_yiDqO&r+4V}KX^oOMljMk7=l$-FrF+n z6EAEiPA05!s8du;5FNPTf>(JKU2M`1FmnLGI_0h7OUV zqpapE&aHz8%>h5IgdIH9oSz($6+{qdhX||@$O+)?tcw2J#y<^-V49|roz$GPV^U>h zxX(u>ZXFBY-UKnYf*a4p&(wzRQ{xYY9Y)X|ezrkXb<2l;#H9bV2>}h{DJ~EXPU}^- zxb?)4@a4e`{Zntp`8C9dHNOlU?$~f(psq&T7A=rAZ1L_dAFd|J;B-m0R(+oJIc=kC zf9$u;#Q1VFVuad-PnARlcKRwV0=aC{kho(ijTylWN%FhP^1pO;AE?66h6JTL3wsnZzx;d71Mw1HQjZhH91Gva;D+{+{&%O|D(~7FjR1I*-4Mu z)|OEC-tnvxWtc@!W0232l`!JTuQBcIw~%hyxHbS_l_v+oW3Wm0A3WXMe%UqhdcTN_ zOfQ&oqjetGcn}jmQV_i4qxn8ra;idhUOdQ_WI-s>l2e}p&adtI3pbz%ucX3)&fjFS zCJid!WY`qalp5Zu9bu-OHi^+I(M{$WXZu3ukt}pLlN@9H+tjM@CnI8nN?=02?jW|d zX~n)mb2O4jb1ivjd#KaIMB_!>d1EX)HFEZ9w1Mk**b-=j(OOxNn*~h5Y#l3Re ziVAJ_3PNPvtKGRQf*0s|hi_IC_y^_HlfDSXA6-5C_$xP}{>(7o`KFj9<2k(kSGuG@ zoOG|T^{|1ymX8uXU3EHTQ$?9aLoi~vNE0isyskZ7hnH(fSggC?R_R~aizNLy9sUY> zi0G+u_nQUj9**8#XDM>B%SYzAo4{!iTa#}*bj_QqEu0f8br97auCo8n(ASV(1kD+s9uyamZl z@m_Y@&Khz@=ns^Lf?5j3(x6IPmf|fG1V>m4=SiY1~2h)7IbiJ~*I#($(ENvS2 zPUB^vs~+w$`OupajBKjYDTaBWqtW$wpeTsj#}y^u;FipjH0Ze*yRqHXm6xlG^GL#1 zv{AZ}{B$>vMy%Ifk6oO_a20LT0fz6_1-Fab@Hu_9QkflLq}9M$f_ct6b$K%DZYFu) zG^U>_7Z7opOfcR$;eHf1F?_l86oODH{0pG&UD#|WgX!YFVWv;8j#bs~>`csfMwshT zyrxhVRn*d?6uPS>a;WJPcN)BLwFBmXrOY5_S<6P8`8FQpUW10+&`a)_TYM}o;%Isc zCmU@42Q2;nguEhQ_9o>mk;mJ+a~QHllCM<1oBHolN5Fz1|A|}{e^mIN#nQ*~^?q77 zV$32{+iThzqEa@su);Fh?x{RJ?F zK>($B?+{^tYjt0B#QFTwJ>*BXw>z)3`2W|TI(PL`nQ3W%{ZHcg`NTRX#in*F{*NRX zy%@dSX!_`R`4uGH*9pBBRM$1H2aweoyFSg9&9hzXFXCy19o9w0XoEUZV#D%~&|nFP z@YL`}vdg-BcpJPn9;E_MFubU-Fy3Vc>E*#`ZPo4YmM0r-AVIA%EP3QO>-&~ z91)7@kVX@-tuE~w4jnGw95g_+)&2HhPF#5eCC?8HR)c_U7{|xmRqm zhE>e2j%5?{mzxgKopu`I7?yJNaQG2TbNt)xo_qQQ87^|Ph`lm4%nonC@3*ozClcFo zQQmSUcS#cZXg}_BEK_~Bo#y-Q)YgTRm8eqylR1KMl`ejli_U`A+(p#F7cJmjdiq^z zUM{G@jz?9(@79O??2DkZKGo^2J6W=ONj#0#^Y3bFFBdK)FP^$2#ty&#Cus%$-N3)U zUH_j405a8>_uJdu&F69K&J@KDWn%{6B=V$uM}Hv^UoHA(6+Obn@zgPWYFQ4C#^G#< z;B>%m+f91m?);M&R#MDn@vP%v)kZji{IOmCHE=xydai%JC4BNV^lX1&Zt#o z@~pV_jjiU}X-rpg9_6*v7Ht9Zou>d~1z6oy^0w7e4|g#azs+7OdKhZ8^jPaZJU_({*caB?cSS6OZA4Y(@oOQIn~*ny&uTr!H9Rg6}> zshV-<9NVZtfI7TgpD7jb|=Z%AYVUm85MTnva-Mt(1fh z0QQhS2(52c@!fy%5`OFgRa>-EAHxqq30RY4zhzw0HY3}4;&}z;3n^1!RgN>X9LkyPA8RJyo&h`5N~Jcn+R=%+MVq99OFvF7=v4P6v{5iwxJ zHk>t>o}b@jodYAJnUWSHX@L2i5CvvF9@y3YJXi5dd+V^w^Jbj1Kzpt3omnUDprq9C zvBD+cMO$lDcnUZwJ?&uPD*;=D66a53(L^2l;0UP4jA?=$F_}#*m1ZI?Slo!<$KCz> zQGWS~cyn`{OSVcrHE!^8m13^F$Ha5rbMQb#U(o*Dr7#O?T5Ct%1WfjpwOr7JPA@K$ zl7nIKxg=K(hnkp}+w1I1CsDqt-JmAfXqK1GfXAN)6M^b*+ldJxS{JSJSFrM_p+~lS zxP;Y^RI+QP5Avy~miOWt!^ol`rapgCdDE4r(sDEQ9)y+g|QG*Xz5qCwJR`@As8m8Nny}ZcbG)C-%x2#|C zGlU=l1j*UPk7fE1<4HIXnwY7f#04igOn36k&04b~K(F@&+K8jFggHu^Ui01<5O_V| zvP=lJ@M&bvceE{eZVAcgr*=1OV9xFI3xh}~>QEYz&+^E);Ef`FWCL9rlW$kd{=lAnSJKT!pmDj!tiAZ=ix_B_${^ZH7Jo-0E*DpP69)+}Muy;9BEZyq~9pAfBx#3IKU%+o@$ zJqzs`|N5bYuFhC6=u?N3qvv62-*+T#wU@zeH=4jH*tR*}MLPE?&6~$=lqn$N=lGnk zHtqr}PO$-)RB@c@=Du>`o9l^h@Waj>1OaJkT;gw#$qgfhZ*7+i(e8{6zt<@LB*qrC z0?t3uw7VdFRlm(|wd!R7Y_tyDy=K4ko3GcmoC7_4q>Hx95|Fbuc}cW-2Ivf@kN_Z5P$g-RUCFS+hFYTJ!s66j*&`s!F+?JFdnXt;sOfwH5esr8-ldCPSB& zfH@O7^!hK&M|MaBNw%nR_IT;NOxhMTj8+z)=}?ZtXS2>t6`gUS74U=(K0boI1BUtk zgT1#7imPk)L`fjHg#f`xLgVgEkRTm`JB_<_L*o)85H!$OfZ*;lPB*T>-Q6ufa0?{x zPQPdFOnu*-TT|zJr{>;UHS-Tmb?xfC_S(;~=lRKv=qTstN=g<%OBQ>2%ppu-C6^g1 zgN$0~7QOIwCN0?@P-4>9)Wpz%^G)8;pACg>GyRYRtlYO=WY5OReY~49cvlA)gphJN<>89 zmVfvjtn>rx;(j*Wr#S4!{`fRasbIz;GHiyOt=|5U1j{5mn#jT4(fP>l8Hz-lG*%Y1 z-%$SdpbQxIJcGAYxR#Z@e)gqWbbvXB43(MIX|4AwH${rLXH>WiSjxnrB-6#QnVC^S zWN@w&)Nr#V>yJ@56y-W;UqZ=$`(ZOFVQaRAGzD)nJDYTv%pkP}n44Q_X4l*>Gpt^e zL?YuxTu{mD3G`FdIn;EmCw9;NEoyI1#dsrXqqEMq+7l))`1G0i4BfR#!}7FEt#XOa z3+y*`i57tcycQG};$|+5s4;cmR+m>RDBc&Y-4Lw2UIP;2_vv6hr6GQ5{Rur-t+XN? z)RHL$h%^b5%ICePjvGYr><|Qg3aFnsE?SY{c7tXBl_Q z%Wp>e$v5`o(LM2Ke$dCAbAK(D>0$cVCL+INMf(*)uquvIl;>Rc-%Vd}KDA&@qd z8UkgXW1Z5fP>31ANK^$j=Ivi-PqqHo{bTkG&h~F4?(n~j8T+zPWPR30fxvD#lsTlO z8p<5>qCoLJ&KTeJ{hhz)o4*p4E!MB@q7Z48 z4&-sbGuG-s$o$DP8FtHP0e%G7Tn+QT0BNhESnU8Y<_Anv9{3NA+If+3r5%6w* zPgtS8e<`NS#x2~C1)WRMPc}+0M$lh^EhxvoR0RFJ_O73d+_^9L2FOuwS z#ee!`I2$YeCVY!B&8FlM>F+HzNO)9*%`$A$vj4G<=8{OCpptk0)K7o=1pZ?m2^Pwu{cR2UPht3W z^B+UdUPGF)TaEp%p_!lu~_JO)3w`^0)rO|7-yL--3IpvLj#ovx;F? zDh%x<3-E2G-JEko$Bw~l;L(`r1KI>;(!T>9^N$dk{{&RVrVGWV6uf=#Sw;aO+_aa< zjhN!SZ)yQ<6&wR6g+Z@;pAsFZ|I;-(=`m7shbY&w{B;ht!*FOPAx~%Y#tz|CL1h|^ zapoB1M-{jo9sYy|-lEg#<07tn0-QSByDKI&b!-D$e4K`6!)y)_&(-)SGPBV#!)etJ zHn&jE3fWF3as50Xdm*~9V+M_$i>4!)1@vDTwEX8-2Pnt^fG3n0n6BLPfl z+2mKzV%w+LCNo(ICwB(svvKuZaI%i%=V%U)Oa1=ZgQ+AO9yl z{OtPsD<8Gy|t)2;)E1tecY`i_z(Eqg_5D%6d%XE{R?g3mBCOj?26*U#! zH@`seVF6%4lT#ZWGrE8PW<=AB)UdU^muE!DrIBp;t}Lw=*VYIQqtaUzlx~+CY9j^9 ze#o};*;)1RO4eLg5UP|_$c=a_yw-#7L3br7{H(HHPTnp4S2wFweH15ymVM=9Vbq%% zc8ai-!Am8PyKs8HDpG_LGtk4nf=eTW`T%YoZ@CoIPt{J5ED;C9cyg1?r>vbWef@{?zHh;_BY6tLgoIPlMj7~9^$q?8^>_7!vG&TtHRvSi?WUaT zFa@bolYp;bjv7XJzitLAa$CXtT1w0f2`89Vv9~2b84KZg~v9}Vn)lmn4 zmuq0xg13nWM`8uMHHV#~6(>z98 z`X!>G!@W{^o-l2xUMQeZ^!W_H4J3@M>GJ0Kmd=(72kQMMzU*-HqrDbKdc3lQ@Ilka z5tjrp_v~2>=l<~7(Rz!%dl3i()vY8*qMwXLEMPa#5HV*)z!o&Pt=;s23){HvAj zq>>*lhlXvLJ3rxMt^C~+d=QiZb;y`^-@5Ac`0xh7*68SJ(hQG%nMOf%nRwA_1b&vrk86uW+X|c#)J^0>d=@s>l)ELYgShFGq^5H zrUp^|1a~ii*%DaP^-skkI-xI1B48|UwE2Lxd+!U-gugHMC$D(yrTT45dlWec zO&+S@-wLmT!*=A8KOxHEqyMa6Qf{B>j;__&f(wlta3uKUu|-*5bvd8x&lm4&8Xoef zIV3dnR;o^{X>ZPu|3HUkoWodKT96MO4;b~eqN{S9$;g*yD@&CbPeFP<%% zR|lio^=EubcFtC5i49Y$if+%Q-{C~}e9 zJLg@1$vC^G=P~oIx-2)HYv-rq6>E~SYlRLM1M!$%)hm;=G><=09u^?miKoWUW+YMd zIQj9T$?CTFd1i-^TU3=)jXA#4xN9Pq7UfA9RYN=EYSVSqkt>%ZMMD zOb3tCL{?h~oyWcN=UuOIU_6ViH6EszK{-B~a{fuqQZO2zkitlB)Epud+FwKD&AA__ z41fl(7C}zS1?bMIYLcRT{th}bPMKTstw`H%kjQss%CS28+1&|KbB`V6=yQ7>3Bn_5GpWzemDtO?dY__KQ^=^Gg7&4Pjg2J`i(Y!SDF`Abx)=EuEaX3W(*m zem!>5Py9c znp1qp_(!NT6{$Ag>avXUO=RU87!CTKcu?!r&bfwEX>ni4xW7~Rn=sjFmK7pd(H-?? z&1{(`IS3Ve3rgEGPj(s&@L=bls0EgqZxmR&#{&$Rd--m~(vdYf^m<@DOFY9ONWiX4 z&k&v&v!Z*e1z>t-s}~)|q2mHiY@$jnOAQW{PVJ#IdBQBq z`ZUB!572(N(mbNnl{0IPEF-3y;T67OrPu_xbuPx}-G_u|wzIrQ5kBnu#af2`JxP1a3Nza<*fbgI zN;Szq?V#@)=;Pa0m_Y(8CB5GPIWH7GL>XglUb6Hv%(%W4ixi}0Wm3|-SS|Eei>NKN zF=;}Vi1kIQlb5F*A^G}zlsZM_sG)16J%7e+E}tqUGQqC*xc!$5UsYO@v{*9b_IVDT zfR0A#0{^>mf2R)x5uHf^u7o1{Sq=tVW)Y1Eb`yEd;1SH(YpIa6AjZ7X(K3VYW5M19 zNx0#W0OR4tARLTn4>Ew)joSxv)M))`%ToKahlY-SDTqTu=eP>aE$p9sh;#FB$|k*V zzx^YStyHSb9RK*~P@Pi5$riI*ojqFEAjMmrqf==rcRg{ptzkPz@h8KPZ~MgDsh-5i zoq+g|P+IHQV}{wX0{uCyJa0i>w5(L?aKV5P+qHb23{dG21y?>_?F}KiY>FS-9n9) z%@ncpll$hIC-$GIHM73)Q-8@HPkq^9_NuI{YELt%^b`GLVMQwKEpDfp!zBwn*+Lg< z5^qy3hw}FxPfglqP{EkfJeM|Qta!6P22XctDbPR`cc?w4M=yV}fTGHfp zWm*pRA78331HG`5by><={WoX){j{gnmSmu`tw{BLfoxadI85i9Lp#)S)*FU?of3eW zfCk?L8)&L4p_eiU46A5PJ?`0oZ46oqb?q6-bSWKMqK!m}_&R7~-wAC6}Hce}gNcPFriM7-*ewC(K4mgMW4w4to zRW=em7>AjL>hC9|3Qbg@VfTVq$9v`BVD6i$^AD8WHm`<$p6U`f+V96xwZIo9Lpif$ zwYujJP_Y&G7Jf#YikX1E<@bMEbJ&#pwjcF%&G3t91NArgcK&^5YTlzPlm;T1wu3H{ zQvORsA27_qRM2&M2LJMx7GX_c^uA^t#nJEU?du%8dTq>$86$X2(`VHl_UF*XSaq?P ztN)ga`4CFptI`rK?>9bBYA;P{cb0BCvJ3<#gjko;k5o3dY~ z4@YEUF1|4mlCaQmnu%Aoagh_G8u(mua)J=zOtex#mVc!@)uuW=J?>6iU_<@&5P6`RBzLyRptwh50Ugd((`8 zD5FxF*U`#1=7g@E`w&U705Zcu&#rmmh|^+&W^v&5ik4HuqvI9eM706R5-y_ zVh!6ED{}>IUUCwY0ntUg=WN&;!uSZs+86#f8b-;9x}RNNc?Mb&I1LN7st>=m8S%pr zm4W%*_7RwdC}pw2GwMy7TeCK+)!2TYFISE5g9Nl1E8On0LOnc6hCRR>z>A6+tnnA6 zXuO>V^%fzUcO+x?YfN8m=O*Q-c}0gp61-2-R+IHNLidt_6`~BjU7>jh%ru25ry%u4 zYRX!;h@RAiWOq({8v((oE-c+k%opYzJt!|T@rcpbJfo{V1mhg{imd~i5iQ8%H5PDK z;1uqvL`&Zuqs#E6>-UoZ1}3C^!cbf&cgvnxKCT*bvD&_@=LBU;V1cobiP5)cI+e+Y zmKNgkpQ3jPJb}C+N7|JFQv&cww<`a#%D_}W821=3*8e|4O-4*^BNy@|dP(RzFPqqRapwR8e|kLVBU1JCJkZo4I=bd>U}xp3$PWc`Lf&t`@u3vT z@ZWt6{JWk?Dd4wgSrerJ1|&Zk2#@TKQ7dtff={FUPyU2}t~8(^WlFKkn4S5_m8HV^ zAkZKl$BEu4*?y?#!Bk0a&f0RVbS(OEBz%{TzdCTWtdtrG^V}D$Oo&oeJK7U29aYXT zS^05h?<&Eoh!IqAuH@Cc*~H+C72l`oQyfEbP{oku4KC1(XUH=eq{@|5V#_fPmkWue z+iPaCP0I>QymVe}ImxgTIhsBzh6>mmoUiGt+z5Z7qhw0c;1j*mu5tbb-q@{)&iXt< zlsDwzbAqeLp*g^)>ljJe*Y)(FQwXVAOzY_S&00pR+soOSLrN9qjSEcPA?3;aWBIRw6fF;QPXrcK;~l|{G^~uR@k%xI(OSD^o+n+B z&07r)%uP|kRP%+Mz46M)Mxb+RbnW6u4PPsVH_?s`U>VG0Uw-+M@gHhrlAje0oS)4V_MoB|V2 zC2Q+an{vW1rJ#X%4w3zc{(!xZUGxi%$|rfm#&H%J6*883A910ZA* zlZwhuCpsr|_mr2@BjKM}cjTUK8q1NbCZLyPZ6miF%Dw&6{q&C`>v0I`s{x;uxtqQQ z_c+sgWvMYWrv-zCy%{eGWosXVpT%N9GG@| zfzIl;Wk+kJeYEqeHb1R{rxUqu7`I~jQ6O<(p&5D);B#N#1_&ia1)Fn9lRWxyWDU^u z!dH%)9_s&j#|-J#PF^B1{W>ov|D-0x&(eKc)z6J|%1~y4os7hC{x}ewLBYPy~ppe2+_g9wGj%WVi7ZEWC=A zJrDFP?cg|M&r06Yi0%mhJ-c(J-bk0Ha0*iA8;MUM&rvF%cuYjiz*csR3yo(>Jz{o0H&=RuHD0MX?u&RD2Vr6>arA zUcS5U#g7zce#Pb$X)eY_121}>6kTeiJ~Zm)oii*lh%uiY3g+WV@x7GBPE~cKl=Aqe zqbz$wv5%(k%0zoV1p`44^bWN_fL@CZk5cXEORYu^3eGI+0jlGTSZG`W%s)^mVT_*&Md>#RlreQ5md&#{OyIcqiHy z|F>2HnC<@Y+E7&M=f-#0`muD}_U(&LVFUdp-{3>6>&~x4=g+RcC-W?)TFBNI<@4>J zR((;5?QGwc;zi?rFAu1D^0`lSKe0XyLg-{ai7v0ffvGW)%Mxk(y_Q|9lIS%wdym!U z$yi{wWWY@%o?w|^Lv=7o#d=#$x%IERfPI;)A~*rJ`b&C8cE^2xo!pDzB&|1XYDx3zk_caqhR*MieXx6ZYKy@~ZOyX;Z)E!^XFgeXtH4KkZY)Te zh{(AXUH;AfMSOlnL)Y}GhV31R!T>LZ=t70eM#e_$SOIbxQgD_*o=zejk5GXrp@px9 z1VIm`5Oa2GdXYviW2sZ7C0Va}EiqM?Za_#I@?p|>UZa+9iy!LTLmk`Agx6cBJlc#mNTEYkAg`&JcdLVCB4Ip&cRJKM!F znu@tb@CuEW;jRWM5LH!SQ4G3F5y1%!O~Yxer}J`Y1n-pJC<<67sPyg0^Va5=5EH@*WA@@b4Qp~(L*yMGFh@oreUFyXhbo0$Gt4%!^}1l z=BFZV#{7oPcEHwd)m!Q)|0KY0}QwuTCWW zf)u=qW2o%8;RVUv-ka|t6yjQ$2dphXjO|Wzgn9{L^Lp~)k@+v)Psb!@2Rb3x(OVOe zJg_lxQ=_g#H;6_1*rhmecVya*Umml}1%P(FSfoFlx%JCk-@;>@jY4FR!3OXX2$j$0 z=e67j})LSUu8DC#rA0M zOOR{oMW^@#apPFPspO&OBm~gjoP4r&yr!~ijqsK|w(1)}(8Gf0Q(jRW{>a<3%%-xs z{H1x)t;}NSrKq2`@Fh!1vkR!ccqOR2E$8>SDVdYk+_|nBG2n?#UCt}g^@>hrK=P<8 z?@K7m@559Pa;~VUF=~61oApJ=%jCoUS2Q2@(P`)~MGC-lrec1d9NOIuSy?_-ZWFWl z-n)2LMnxHiuWYBw%@{6%e{TF{E9~@0R^xcD(2vn1>*XrFdfUW|a5T9X0@f?*TUIZ{ zHwz#@DSI-r{2BBnY9f1xl46&dQ3E?C?h4ziZble$W)cNE1!pi4h!L{zQqGAT&@Pg<1#fyx*oYe*-%Y*od(3IiZ z?Nioq(iAb;%|9o)+I6N_HG0=&iF>j=aK4Y)T3qz%nF)GZ| ztlfme>X*$O_l}i5pMQ<{hL*7byx12xS{4XVZVJRV&>tl{AklCAZiBUB@I>P3cYcFA zsru^bpA#GdnyMSJ?)BArs0wNL2>EoMh5qDwGM%><6Hk7KY)~bOv%(*HI1$kkKFV*D zN$RDOtu;DcS1TxLjW@X0YaWKtSVr_Muyk}0=?%%k2qt zmQoOiQ1`LeZUlR4mJhwR3xAXq743*d_tZf*@Uipe(Z-UK`Z78L)=x>FQ`sD4%prvo zwVL84KY26f^9_hzxOV+8<4{H^cCt^m@#5yh%T^`may+om z{R(vwuyAZPn!i}S!}}UX?U&d>5g7sa{jd_)Sr$_n3Wai3G-p=0)=}ag?&=dIX^5Q0 zHQkJQ2%x$+Bg*bRs3Ahx!CEJH*81~6M;o@OtE-DItd%PBN+H4EWS_EsD|s{ms|6VT2d1+4MS{Jpo0~egDI*7z)ZAmx|@MA57Sq z1vCgdzb2{=E+SKhKAx2b9JB4MDM>9BKjgrh6o*b=}EGeQTjn7q}_WMK7~kK_X+@ z(eogA@u+@UrY}AcLI;vxzE~L$%Q;muumZrY6ko9@cU2W34UWH=b{r;$=9qxwSIRft zKh%$-&j z#Oq2DN!YXxn8uPLKr6GW=_j_}2m2Iq-NaEZry3AB(q}V1H-_;Q;_PW$<8HwDJ_S>Y zFH7T3DDi=->5@E~q3RsRE%oc5p06m?U3P-M(71RAaWi1EHCvogd-qG&7KqCUg^dga zV^cKN;WI3w`0)?A52RUh&)UW;XsLFTkVH-$_AhIIdkKY~Ed&Y1e656O50<1-px{!& zVb1Wc=W=XDMkjLnP1dg)MMb*~G1&|AGXF+=hgxPn_9cMz+eXWPP7o$nddH`f#H{@@ z^h4zf2YN1fUq&TXK7dI?ia26!Jh9~nRTb1c#@vi`NSpQjA+Fq;2QPoV2QywIFOnrM zbW@3jueq8wZSQGiCnweW4SGhA;b>E7Q3RWBlQnb9*JE{(yY%N^IKtoix}!sG+wd7 zw~U6Owx>oMsKYLJ1i2IfFHRLW2RF0~J#O#xt*P$rGqVvH7TpU}Vf0C|DZOUmr_H7lYd{GhmI-|~RY}|L+-qQa&FFoIkd=HoKs})5`S|SYG#i?f_p7zgr z(?CB>B-(O)vxI_Opuv7t=Z2)H`O6idyOj0=>C1nBB(Cq<;apFD9^+M)Btq1Jk}JrW z_ORnj(+4|~A81lgD9sh$IxI@5tG{H(cv(3XwY=QsZuqTL%$~iCP)=o%JNaZtxy3?* z`-C}AFdx9K7z*H~9M36TR&4z(5d?}ku7FS6r99}nczIln(>j*qB~~$^R=Q{5F=?lP zy?^f%zptSF{CBSCzsdpSXVz?MkJYWMsdIF{+)7&9i^--I+D7Afytb0r^85AknA@2F z;SJ%~YrNQ0(3PXWqU3NTk_?kPD)v(Xv_u_D^S`TzSd_r*^FCP6@xB5}u^i_sLu(hQ zM84L%)@d{!+!r|oDY$6VnWA)SrM4+$A$n?Rznp))^$GFXqSaGDd|fI0n$Qs65v=^t`h?p@h__-Ny>A_s+(7)Nn#KIH` z1_JY+i}+;1I$cRgT=N&qv~SZSldg^=&IcHEmgrcs`1C4qH2EZBOzR6halv>_j>&P=C--=#RsnMY8|=x)I691w^su3 z4o7a zhM9l~WG`~;Od7)yRqoPjnQb5t?mx0jHxN|*jpwav6O*v2lwbj*uFD{N=?OfYnMRb~ zAGox~{DlTuxME|EZaGJ7L%0fE@;Vn69Ml)3Rc6xcV z)9K4*%dK2i_Umm_f*2F&legmNO0n&Dl&QM3k`xSlP7BZHSbo9LX|{o$m2q1P20u8P zNfJhFbG8C2*M=>N6`h@({l&*rdS?r2@_Wfw_`ZJ^;cRtLqmXoD?-A>(NYiOgFa82Z zpx|=mqT8em2`o^`C4R~~Ad#^RW0fT9a`2TW+aKS~G;#E^w6#f46H45cux4vH#(;4GGu4MIH|xPNPWgqDD@^*ev8#wE?XMlnsn4!nz_1bgv9 zId2d#llgYD)R3*wIInwrzbW59ld7v{@Yb=Ds6BUokYS?97u8vUkO~C76M-Xjsa7l3 zdMZqM+=TxJd+Is<(sx9=Fz_@dc?_MT7b{_-QisC)OB|NOpVlnz1J(8UvF^6<4|$DW zPRS1MCDJnCKXu(!GL2j zLPB3$&p8w^J*NughER2+RhZXU@;F=QoikbqEKO=|W3`16ObWGtPTrkA70OyM_ly>ypnh=F%sY0jgj&aWF*e~K|?Xf8$A&RD|qPdJyf z6L&3y(TazGn(O{ky_OG2jwMWK6BSNOmQ9vi z#hz#@D_lhAa7S-j&6#U&=GImrM`x4=E^l`<{Z3LMM{mRq%LY+@b%5jjV`a$v{bPl* zhKb+igO=8mQ^jg;L7Md(+zq^2#*?b7!b;F0!oX0pmazw4^3Db|g@0&-n$xz|(G*Q^ zK*k|mc&Jo*Iw7`J2Dt0Gv^|9oA@0jQQeP^#TySPI?r$&nbIz?%eI^Ca5+>@00A1ZR*Zv-1GGr+JYXx!!!P;^MtPf<@Uqryc|P2T6BAI1&eY2yXj z`e0W#HzVUYiXzeFqX~X`4i!sk(Mle!?nhl4GgeMrh_i>2KR1@yWl$i?QsZ_^7>&ch zVxX~&BJY^5y5m93AK81J^?HmsTsiF`b76&?^+WPhJ$uzhW`-uUW~Asr5=>BG0Aroqgx0mX+}XOb2pyo+?T81LoeD;&OJ> zYo6@uH)pnX0n+0jZW$Q}zx(;zN#p0ebDw=IISK7IeyAEv!SeXRG%NV9yDBbo?cuqV zQQ*4b0!OOewnm*kp2gMpPh)Pqre6Bnwr-*7K&jyB={{f5Waw(Yhd|sAlzbSNT5#uO zP0FPIWF|=ZG-_WA_;!5NT);s$KlhrBt56+2O%RYmAkfr>r2SJ7@Yx8rlL42la^$D@iwmYzc*g#( zmlwB!Gy#;8TeE@n3DYm7%)bU)58+^ULFqg(Mc?vJ?v?d!gE7sClAvzP*_6q|2>wJi ze5>NYOG^fkG4bi$b66<8#t>x3Jz>E(gsi?cU}wi!TzkXCEi3cK^8I5=z>{56Y$OPW z3J9&IV~C$B5SmHq z4vrSazYK{VwRiAUNv?8AzOCUefB<9@>Ybv+h=*jbP%8TL5v}0j14F@?8!sHmrNxIL zvgZ=<8^P)=EZre6J_SGB>fXt1#_4VFtugvJKkxw2AVzdX(&Ux?nFpOM~DttU;3q@4Ax}x=q z7G;y$t*KN*x&iWzX*c!Zh4Cw|pFHYlb_V-k*jDA1IJa6BfDTIC2-ef4mj!zpm8?FN z(E9{Om+eO*ScR=ox*XGIRC*JW)9xUGH*?C4EC#RQzfdgcc~Bmb@`@`~cixndw-ZcM z)ZF+1)gug_y*bp>6nd4U31Z{Rr$7lc<~E(H-FSV1f0XfpOtm7;l_sTO3j63VbYjs% z2b@-CTYI<)*=7Ruvl`d|#p38*%-H4^u9dQ&{IY1C z>8k|bju*#4%@=-N4$t#Jkz-9-bX8?P?Wjqjg=3SsMJrFXnrgJt{W#ewqb$}s@5J}P z7kCC-0KJU7J`^xA?tAa!k4vGS7&~S*c@rO1oU4o+hj&PRAQA(PZ|XX%$M4-4JF7<*0Gv-*6y6~iJ>2<9xwidX80Fc&lgA3 zDJ!t&W#ttu-@S4Z7x-O_7nM9O$2wmwBkwo{IpBH79d1Iua>Mj7-5ilb-%c{W5s;lG z+JE0-9nSw@?x$b~^MX~fyxN_eS^V>+KAlu)Xul3Xn{x~N8l|YX^dqbR-!^e5kWDfl zAnl~nHg75g+DN*bB}V+iPcxb{bT2YN{Gnw%^8GauUoQx3XZ^ctM(8>q(M z)+o79sLFEP$VERDV=HWAvQZK38FO%8m8w0{xlIy2k~pRDawBHvVzi)V1m_k(^6ew^ z*6sa`9&P1MV5zsM((K97;mwj_>K1Ve zFow=Dxhu;5&MB+LqTGm&Un)BY;6u!8PwiY#t%)xiaM7$_#SSkJBZOb!cf4I2pn+!1 zy*Y=4aKc9i+N`72csat90CKyDK^uI*Lu%*vQJ#)6CijVhn{8~MyDF8|F9L_U&Rjmv z0e7CeaXh*r+W?!ikL-CAJF!0*tl|_QhX5DK7bmt^1};47-oCRjZw;$wnX;%20Q{h1 zK1B|q7if!1E*m6-gxK3rF(2iMBp-Uex&Z-mo2^rEN&}$^?^E!QF7!Pazcnu?U;F|A z6Z*t~49(u#>Enuii)r#7E#Jug?x(R7f#boY=B}2hBW}~}-%Wn}4tBxD3K_?^uISo& zAnpFae;LN^dY#5Za6FYV*N2C&X6Y+;G-^Z!N=aj`0cetE=)~iT;PZs-|pW3 zycJQmC`7@+*8=cs0!IL~$Nf=mx!h6p-bz|->`lo^vT|UKm}dU)I~`yr;OVO9k!E1G zVqu^|jPSAIG2@?(Yqh!nVW;(&mYT7Z{iV-DBg#bh2V$1X4TUYa2<{!sEXC*HXgum8 z(iAA>HG<83(*0_3cS?7ioS!4=+!-R50Ls`;=}U8t#Eo6wWnxwRf5JFzW&41o;p3hzX0^vuXQCEq7T3Cq+mCH5?7SDSR+G{LSl zAXwklMbyds&V#T%=$d4194R%3AN~IIeQK~oaOH_jqD3^<)L>lUC#(cQajL1hbGlT2 z#(I}w9=~LdP-{f;n_WF<-!6@1#+76l!`A3a|60!FmX#FZGSEOTLaJ|r%Nv5?JFD6s zW@lfa7|`~P?igoTU+8kUlSe;qZLE}D?kv@2>;^-Ya0bV)1l?38f4Ubn3Ta4KY{@a? zCM|lA0ND!SngAIrw2nf7FYWi$5>5tM4`^x>o3;{ImOp;ttJEUo3k+vi@hC6fqGinq zGxx-BQ@t5@&m(04S;1ytpr!_FK$VNHcTv=9|G=uFCKZX7ISQ3|gEtanT=y&w@0TcQ-5TN9Qh{g%ufm186;E<4H?Ucj92hj@o%qBEHw!tIkBD3SG6Zq>xJ?#V$lIBDF0DK47p!2xt zx%_z?{9SAAmOSM6BWvEGsiKdw&9H!`M9rQLrKK%~&@5+z%!)TUS-QuDA9?H4+$0@4 zwS7^te(y@xC-+xARzm8wwMk^vs7WEvZq%$!>9P|iWjI*z-D@vmBd&>seTdt!L31q3 zy+xAl=J8om<}of7($OFv+WMy;I2G6Dt_H@6-}v}ql5TB`sOGD(+76jQIne8Lv<#C*RZc*oxyYs#>>tn=*{-&6xm&@;j&IJm;){b6r!KS>m;txw?w!4v7s?HSas3DJY2CQ|V51`M)Qz6SFFy z1e1R-OqUQR!Dpt_#OeAWdZd$!3UGp?)tq|UsN<)q)>%N>ukO@~U(m$SypMH`TP=$Q z?VTA1-P54_03JDxoeJlgh^5pc*y``=a<#1(TJjP2wDQfs_iF6d37P|e5uutoK8G$W z>-UeXJ7Xol_eq94>?Zs;tZ|Eh!p8DJdko|pTHsYgkp2f}sd;k&G`-)UT5H+9!E#B&U=ua;<$Id;ZQN3q z%jF;+Aj&*gQM!V!FoRWRUHT?H}{_D`Azbh56Eq=lJn$jnk zxY56(wr$VCasJ;eMr6X4+RB|%Kg%vKu-)6q{Yc%=8>AEYlY=pN{5QW^Yr+X@eEL|T z=SA5t5*<@6fnuK))3GiuymIp)Ae^7tAprE<0R4()V2zR0s-AGp-9w} zvrgB~X5e%~pl{cBrE`=8)(TN(SRABD=JlQoC1uJRZMrNKl@h}~kWIfD4vlp+hv+($ zy{CX^$iRkKFwth(>5szY0o!L@8^?y6!rIeUh12rxmVslC5(7^~=;$C@O!WuqBGA~>iPf7>rGX3U&R z^nxs*{-unKCib`^SpZZ*;2j7+v_PB&LAhnD1@S3oQev!)nK4e1&X-U@R z4Y$6)MXIXS3bEcvGu4s)u?Is~Jr>tsSl2W*`4n2plMN49F#Xg)Cf+CB`K7&te=>{M zdz7kAcx*3I7IMO}tA1OoSEA>evZE38_~v~nRVb~8wowE5t4@?1+B`+bS~xuV#ZV#O z<KKp!hMPyme^YK0@l!Zp%&nF8cwl{$b27MnEZ|*RB2t^UBrBpPysF3kB5UR3 zN;g2|Lf_#|X+jP*7M_0diL2b7;)Hu^KD57XzmlAb(#SHJsFqQ--wOgNL13I#=0EuuA2 zYD&D!uO9z^G&0_RyNu+`cS%yIC13B1QS__K63nP6-=Rh^7>{q&WU9_swpPK^3Jr`U z94(ot28km|Bcl^VRwFjTM#oEe!A5YSYC?72SkbLK|xIW|M3|uelM6D%E zjdU?b!Eq~QfR0$5#uQHk6O+9_|CsT|ekl=P)yo~Mg0`QS;+Sq#C~t$lu$M^cD%w)I z6_{&Rj->X`C3n>S8hY22vRwrhZ1WW&`&xNN(9}s=EoMZL9;&KyjLC>bA~NePE!?~U zL|+~LB5bRi$taa4iio|L;^q4=OvG0y7503Q1oP`ogvAc=&P?^u1=zc5MXRzpV}$iM zw;^Nsv>7rk|B3}ksX@SE)>Cia zgY2KFTsLK#VmPDUSLewrW6_o&NQ`si~iNN|(?`7Lgins*!97#zmNYW3GCJ?02m^ zD>fB%Y#hl+n5Q%y5S26vz7!DrL|+Ol=DB3*k=1-kQopuD9qa1DN5I{V)5875^++8h zgvPkdwX>wQUv(17yqr)f{6rk0AmR-q5$OQU^kAY{;Y|V9f8SC*@BJgQk%qT#nl5jV zVftNo@Ys6`&SecV1Yx(1%E#A_u!hnyrvrO(-kpHD=NDH|7$sii#*cf;N+W^x&i&pOcXLd>T&+G+3zL?dpNOhC0`JH zl>YVCz(L1+Z7@>vF}X)+S}(i0V5dnbIK6YIwAzTtk?0q(%qUoK;mt(W*n zeJeK>T2sdr>{~vJY*tYt>yehWFBDPAZ_G9E3Yy&xJ~S^mEkL;SooSB3U6(& z)WR$cQU0tEzbhkH_JD3Ay_!KG%{4PxnY*Qs8bNa$N8xWi*PmxMF8`qv$4FU4>a_JZ z(Z`JE3|y?(f0P;b!_x z-0M^V7&a!t2s43wj!N$p#L=THh3gvGd@ZeA%{w-WX{#w3I8SWJ)7ZH;ZryJd9%P(- z?MObcm-;3w3!A)NBH8vSahrDh?CJc&lH0;3Ht;MBIn(ZFHzyB3vP!f8@vAar%Kk3z zveez7=e00-`WRQD+{ z+Mr*o0J5#(cQvIci>%ll;VG>^g1nez+MWi*%u)p3&LcqhsNeW9#9MTAyn3EV3tr)?ddSsg|Q-bu~6qnMtx>9+agA|5BYi zi_4BjzSU3VwRt`pCwqD87kAfl_1N+UG~(Nz?&YdE#S=-^ee(3j)tn=AjkJ46CC*$p zSpDhYmIRRSwNzw2wH2-U>#|JNkpGDilgL=&Ds{D(Pcmz|sx~oW1dyj5ty6f67>z|&Cs~3f>#vd|n&+D= z>$y}~aa`O0y~kdf1L?yUM>!dSImP%|;MK$mWlRD1J=bpMa8o8iO6(R`r9& zg4R-A-MuQ|r^Sv4j4GC4{0MCMy@?84TkR&d*^lrdEO(lL2M)gMELG4dC?~p1oc#dt z2lNV(rf`$}PzRoY!K&vL;maa2+sy6~=H$d(pKefa&!g;wqj3*Xl+&F&5P`E@Azq3Q)3uP z{^<**C%K#G{#PQ{hCXz3;&g#^rd@=qMNLLGtA6EPLFOYG9qAE^TO{{;76+aKMJWI@ zC{eX(Be3cnr;a5yXoXjn-Vmc;jZI@1`fR~K;I79dqhUSs@@CNp81xbZQk9%^S{te+ zET>cEGxiY-ZMf3ga@4-XSp;*$fpKSlKsX@veW95;E2>a-nyC!ki$R)T;!jDHp8b?Y zp~wPk28EOb6v7yhWQxu8_V(#~qxK##KgZ>tR3|dfhtQJH#bwm-co4eK6;b3qiv!VV zMSyNpbHrLef`^=nS%@^#>AF;VLDmyT_jgdAq>Uvs;<2_pGHvLic?uR)@mfs?J;?ZNh6Eh-!gjtmuc$85E&Vpr>A;msHZp{s(ydS*Hw#)_d_;^>y%Z1MQlFZ=WL za%ZVa&sfk&RlS1+hCcH&`I*e#x?vX}`MUc0Srsf8*^|b%KD1RhB+|$oRR{HH7HKl+ zL`2=6G5higABp!GE0+{1vsjxaL}b524vKb#e8t+o=e7yzbu9PKd7Xjqwk5={JZd}& zs(v}SGfqOBwCX8N=H zmHz-uLP|)iOjTc4NETCZ1PDz6RVW4!C1ySOFTSJW{s9fCAa(&L7;eGj-yykKl9GGU zXn7zdz{i);*>9HjQH%HO|9bxF9Rs~)ri(HG)znXsSR3jeP|;U zo}CA&O2oaWd*QOAEn2Kco5LB3VJziSB~!2Pp3_D9H*E3V@a&XH%kZKGz1XFX>Zqu6 z@9{A3I6i-81#jcL^9E~YJT5Gp%}nU=jk)PcHOnt*I*MG7d(VP^_<4#}16WaAC$7iI zTFO|iWE0wLsyav6PeKt=95?c0--Ba6C4GudyQ%epX6-oLSfJ-EXehnIa)a)XhgIvp z%W3>~j~?6so8GDYx}b;p0xN>8v^H={)_31LAm{xXT49B7{nV!0M4ayQ3HU9u)W~5M_%WH}2e`)oiegH!;xRM}5Zn^4W^APly#*M$vg^*sl>U;I&zF5+4Xf zqmpv+eaeTjRY*ZBO&BlB@gadGc5d7+9l`axyGUAvnwbr#3ENLApOEn=x=4SiXB5tQ z2B+o1V>5o$?!J6ik4IbM7emPf-v?G&Avsu-D!y3*X!)pYj}mpT7{-MKAdb1$LXYZL6}HE9x+~L#P||bc=epoGSuqSfOj%?}Dz5JcT6}CDg_~%7J_)soU!tTbgRalqMJAU$RZ`C6Ij+#i5KJ zy!rXe>XbDiZji^hn>P(AqS0cYF|5=RPy2<-6;84mF+-U{DoYhsr^K((YEn&~n^67M zYs(O#7;KTbZ0YBfHqBdNlzICieZqH4ExToNWuNP2`NQj}AGHlil7z&sr!1p~>$^7T z+eV;{sBI3Llp6%CrSGoWxT>mrng_~Kl^bGnV2xg$99|uCKhS7jXCoLMz#p3dJeGqy zz7D|4a@fDt7V=yG^7w3d3XLb$chsTN#vgULUlev(6TdH^{8k`Xw&zaL``BhRRbcW$ zayyc*`v^0X=9#37ZcQkcCwUBnc)jSqtChd7_5V;a*0X_#AVe=>Z?Z=*{Me8gl1mle z=po~+ZCYvvdfhs=K3hePuNwd;e@ebr&Czrf2`M&Lx!Imh0u`ww2OkT@+rL^z8G#@C zOeQP;hu{@4b+OMpL^r#Y+M_(9!~f#jotuUf;ybkId*siAuaT8!jYb7@+BqsNYkxo( zA3oFCFG+3lzJoqkH$X&s6F9hQ(=f%lI0ObSd74Znf4AS_l(qUHw`Vsj8SaznbRC2; zv^J22!9(fO{IU|Nrw-dSR+Ta2CxeDKPuf-Ju?k9CrHJL%g7NJ!DO>? zOWN0u@%&9T{{mJWboQ~^`q$jOOYB@2Ygv1FIDpM*2Nqe;@1X0?^2118N75(7l5&Ga zB?dcA{Kp7bA+`McZ;BV-6f$cTu&K*u7Adx*>LHbQjV$uu+#RU57Rt2F9Yv1Ny7`0~ z_acR(8P=m(o9@otc)ha%Hn;yoq9Q`P#TR^VLz$oWLS7_>ZoGCJWEsK1^5x<$l~h-c$Lhhp5dH84>-f;&@y96LAg_~0`MkAgOdt0006_p(M(o()_W{<7B z=)=*`0K;QsQ#LZX98 zbP((iC7vzVPNYU!OQI&^dE&uUisVsXj13DV9Q4VFB5y_yS1-!H^?CfZGp3j@R;lZu zd>lS{DWZ%lmleDqIWV>gA)nA+SOVWf+pmnB3e8z7hR~*n!s%3p8Wqy0RGnpiO&*N! z+Rv9>QpgZYv#(Dd9aD$PSKledis&jUyu4e4-X&Md2u0|~ugPs?9O$%WoE_U3Nv$u@ zLOnRM(NnsD%CvpcjTPbm3;!_75uW&#rpwTYNq~i@Ty&pz>f$PF zS*xv{bFqGaT%jSpaZUNNMdzxwPUiCBiddP;`rHxga@XjE44YCX9>#}jS;przC|0=+ z#}sIJ*2|rAo=rheX2@q!sF6A*_A>~cX8%3fsJ^0s3F0wvlm7wu>g2s^q0vMe@(Ck5 zZD%?*+W5S5P1@L)Qu)=@z`z6TSB(Md^Nwa2g49-v)j0vV-T?x=kcIAo@}L6y>xHtm zM2M@W=sljX4CU){FZ7>se?SR7piZ_Z#|Sq@t1Pak*y;wMf~5<{VDZ4%Vi{J zw@E0laNgZzX@fniQ@o<3pc6i|Gqv0GU;KHx_RwYIJ22-vc4kU#5#{M65|ewdD_9jX z*p@Y451-!2EYV>v7$J37jJ2A{}JEE{M za-5u;*?DdpUBG^o%!UD3HH5_2Z}Iq}8m#!%m91v4Usr_~+c> z$g7w^%3cO+h%<2|ru^OvblPO-zJ2U}Dw3t0Tu>J=L~F-KFdpUslef=bHRHF1o@J^< zE7zwW9$r26Wtdkk$rBnXed#GeqbB89daIK`!JrI99Bs~)m9eS&al+o=N;Uv<0BorW z5(s*Qg3R8&%<2R{QRoYiUD)!`q?1?}=4rfO90=H*25; zWlk3v?!}wp27Rh%Dt^I?)+c}L8rC~rC#ntastFW1U6!>;=Oa!F*$nhMu_Q)w3ryR@ z%X)$|NdMQwq2k~X$MgW8*!Y>y&J~ucbZUqW3;7!Sx!kZRoQE$i^UnC&^L!MrwoYGa_vpVnq(N;QV`20bell%%vA{f3?(S66>-Rdm z%y?<{)Hh7eF=KD*EOU&~^!zyknV{7uTGohe)y_S)!zMp5;zY&fOeQ`HLcE=S5EYun`wF=Nyq5&YgWFtDBl01o(pRAb+2k(JTMMG5FG^KHU50_N@#~G6VHj z(Hae3vh#E;(7)qI zb2`svc_sACGQUx@a`8;!)$G{E`m+;z+X%eKT(C0|ZR{9|TZOQ%QUY^4Y=)hx+hoDH z5AkgwJ(-phZ&fKBE;176;k77ZSJ#$fWpCkw>B&9lNh|RO3D8m3og5;&>o!!yRcH<1{l@bgfUkEgKrbg-hGlg~?Smu~G|MbR3D`j6E zL*?AY%v^abe$|cm=~0DuiJ$(bmuU~On~G7_e3MJXCp0i&}8egaOJ4Cs5{# z3yEt|X`Cs0NPVWT)bZ|6oraF8#Vjpo2g>0^8Cyxd8W+rTTK3#Z;#iDD*# zjou*q+jkP=tVQIPuwYRRW-7h9I|{%OsgBIPWY_UWb?Am=%Xd`k$Xj@`6Gg*D{hK_PZLI;0(5Okh94U~c(BL>WDmxg0aP68VgQx5J zG8?wEw6)i_*GwMfYX)y^=;m3{KT1dl(#A;Q(*sF82j*i)!3D6e^p z_b0@bt7A*dx0)LjU1Ahl?{jh~fVr?=FSA!6;^%_PqSh9|Ubf`v!Gb%@< v3KT`LIzg8T2TiZFFFuS5WQ&b z;19B!pK?!Ptzg$)W(JE|B@Le`lC$yz=wQkV!ZWl5 z_#GJ}E$nZoCoF8hoC_L z#nBFtU&m8F<1Mw+k}#{XC8w>^4F$2E`DchZe8h4SV`%bk;is63mu}2h zP~k|!YO^ChhZ8tQ^FWV}ZstPA5?HTv?%CY%bzYSpI2#RGI@FPQOb*G_j8OdcNB+WB zBKIYJUs+(3nOl3>k$Q6dt+ze`gD2h*?{?g3^DKl2?^JLAIc0{}R$HZ` zxn`4gG%sKwBo27ZoNd7_D{jfYt4W(X{@pVD|I!kjSWWMGp?Kb?(~i}V?R7fExEaQ{ zOIm`dc!-v;6TaSP<-n;Sypsn<#PxkKK|F|cJQT&I0ijj=(QePrWWrJ?R(S--3Y(PK zBKZ1A%a)>LVo~4N;MUpqhx$9C3E3EaHey5+Hje0**s3#C&j?u|E#=_t7*$SmCRJB>4H%Sccx*!A||Pk!}v2PpnT=wbQ=3=Bw@}lN-2SHA_}rTcr9~2~}`p zZa=Wd#%g#YHha(J!J{K2Vqvq%=it^5H; zZ*}g8$_eh=bdhiXtLX_T7l}URl^H0+eywWKwP3_nNQ%APDc8N|)ky8Vx{CCGH97vU zo4JA-Gse?CT)1qwD3wDto#Ec&51+H#GkPU_QI5%NDtVtl6HBd{p}Vb>4Kez zI`74Hw3={f@fMw1E;TL=>QT>y@1K!1({oPX{ z)Rx}enU7gqbHZYJ=Gierx@nYj>{>*jUVV(jrvN~p42rlO(U@vcB1|td)Qc2C>?`_M zH6@o#Ka(3Y%S`TM*c1V&o-EmkbxFSwQXAgjR6*;2~tk zoKXM!3mfb5s84evTX}XAv!=B0E8o1RYtSVHkiDwS@LQqUu504wR&W~BsnP1~i`bVQ zi%!@+9w5ZHFZ($_ydK#7P;Pc_YY%?XQV(-|R+gP{<>U1&(ShP4hE>gE8rwRWeu5M6 ze7CD}@Xy<<`lhG}`#jCF@fGXI>ucQe3TkqVn$}Q&4#~vKpg5a7U4Cp{U(@tLlD5Y& z(=;-j%$^YmW+S+tBT&r$nX9g*p)q2w>1!2yDK9NfrYatHliZWD^80#%(B-bH^jb43!XL}oC+dl)>kt}Sm_tDuJ2DV=%imV7qF4B z;G0^c&uv-=W?=`1tzY<&$hjpg@6R9*SMrXTg8_6nA%-kHw0(+gqG8DjfiY1Hk%@) zXMz5@?djvI{nA&>==;=aj;p-(tA|*Qv#L@ zf4)w+bF;QF1yN{NbAb95wMG~e0_AG>PFt!IWAhU9QrT&%2Cb=)GP9mks7d_e*Zyzh zvi}5`Og&TOyw2X>grCYLO704L2fsQ``yJU{X3Y?kbB7g~J4?S&U!Sm4nZ)%RgmSq- zd|e(8R;MnnCw^dZZYkvAc;u(=2Ni5=VRwNzF&Xch>xumYo4LalaOF{;{1n3;(UScN zshX#Y-oXV|TX!U}Ik-Yg^Pzo6bOeKBDhyL@>#)M&tI5`5mC6F^vIklQ!(V+hV0+S~ zL0i_+0}=I}teB1$0wSKJ*Qd*sy93M2ZA{%L5L~zWlKkwDnKZ4$%>d0;44$_&*eX~R z_pf%kPmLAvZYdSUA}X(`Eoi5_wRyyz_;}@?u^+MKL60%&2b| z;ZDgX58Usdh9ypW35`M4&xa-5F z^C1Y65B5`V(?>huN6wgQ`QAcV*}5csu{?e#otP<_AgIWAp{?GQ?@jQEUzMa%D9 zE=YMo7~z*o!GQ}3<5~SFw!^w`xg)0ny}V#WLQi68DT1CXY@+gI?&YeoHgX8AVU8W& z-S*^86<5DGp6of_}R4o&8EPI8mEPessf9jqr*XozfGYmzK)u2BAXiRGbsRX|2+nWj@;%q;IPIHgi?Mu9RNa8 z+PIce_nr|?)cWE|+iM+{WqHRL_?%qC*C5|+bPsF}m3BMp^i{vgn_w)h3e)%>8McAG z5zlk+o|0K6y0F4L$+4euE;k|G6qxC5)UncPxBrgHxe{)#G8oB!i!pkYujQ0s7$p1! z6N$1Fg3tejm1fGKv6d7PA&se=xZu55iCd_uHuR(bWD@{P>8i4!lV+`c6)IZvmAbMxhuw;nk0nJltfpIRYf@v~8_0y}`e(h^|RLl9r; zdi9w+0S8~POwk>j5V`RjY`aAF3ar@b1 za5nAM*T<%SV0>KO)`|VReVZSUWC@06K9{?`CJn03e${Hf=7U^IHp9Ic5>|ao<`24H zf?Vaxu3?1x)hxm7ez@x%TQ@+r6~W^JRv@8Uv*4!$F6Wlu6TrHORlMS$QuMEEjBZ$W z@7Yn>lJ4SCm(Ak!!pAYP(&}Wf?X^080Te1@W@8-erFoM@!?}G9c<34|G8X)l=%>J~ z%poe1T%W)I_3yCV57}#NKmH@#@_(}IzpaXjnnL0&xQ75MdBfRT&FSxnLSGrH=+m2v zK|dk~Q8wUay~0OLiT5`Keyc!Y{5m5>ikr3#+@1aQ6u4G8a{hpN)UK8kA3w3SpECXd z{l*6-%LK{)c*Pf{{s)wa;dGBKelLyWsvI_a=LoD{#Ryk!@cnMW#Nb7KV?nS-RH{ds zFO3D#*8eC^1)gf(=>qVRPk?O)TnWR;?3%wH5M94-a=r!zc)GHGKp|Odw&Qx4|2RVS zA3s%>tPE{D;mCbwr4n`yWUA<6NHn>*W957XDF_|El?aG?l-%;(s;!f3%c; zUGsnI@Sx(ifJn!P>JLbY2Vp7MWz~T>to!BTQ)QPF-zWdx?4+3f~;3F&UgICsMXDi#!uf)B9AReO3Z`03} zXE#5mG`8diW+@ViC;tAvG9m{n;J;Yd_3ssup-eKWRcP*eWH{nTfa7}y90aQf=fsEBh2I&TI7}?>j@;~iWlm#$G^XB zx&$aQ?l~WOV-f6lQ!Hmytj#~Jc#0%e8HQSDz>)YtnBOih=JDP583k=nQOBJ7_t)-RLyr$Vqu5kYxq@v zKp8OcYoMn9x|A^8KcF##%)33muINKd8>{PY|Iwn6qJOK6qS$wpU9k*{(&&vB;Lg7atozXAS~e~178 diff --git a/integrations/amazon-security-lake/images/asl-overview.jpeg b/integrations/amazon-security-lake/images/asl-overview.jpeg deleted file mode 100644 index 294cf4024ba496ee1a94b137a63772b89308e8f9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 33327 zcmeFZ2Ut_xwl2I7q*nz51tNliARr*UL`0g1ROv-Py7XS7A|N0jT|fv$q!W=|1f(Oq z214(>gc?FfZoa+Gx#!#a-2Lsd&;9SS_y0U6IALaGt+>WoV~#oAcf51qCUElr?Gr^6 zMSy?+00{6u0B#D92S|yDNr*3#l8}&)k&%*9(o<1VP*5^oxk^LNdL6{ZdYy&kCMQ4F z&0F_4SXj8l?%umE_~5|<5SN6ExR5lz@B^XWzJ!2`jEs_kl8K6nNr;_=UFaWv;hF(D zQi2ymMT7*mfJ<})gmeVBHUNY_&&vdVdIA6TBDh3IbeWihl#HALze6Q0aEXAB@DdT> z<;z4w_`L)1p94g6m#?r3$`N1HG$*;`N-y*#Hj9+wQQ1!ht)YERVGFmnWaNz3n3%8M zzQe_Rm*;_qsF=8fr2JzAMI~jGC)zsCb@lWO3@u+;S=-p!*}HpqdU^Z!`USrW2@QK6 z9uXIxkeHPGDJ3;K=S%L_y!?W~@8uPhRn;}MbuF!J?H!$6-M@xMM#skC6O)LA#iiwy z)wT7FP2|Dh(ecSC>J0sxT?7E(pUuMm{48{Y`&h%U1W z5?_(iBr$irdQ0dHDgC3^tg@eE9Ku@r3>I!f&XUrn9xmH8TA zPrRH5FcfTKlzvtS!6>Qiu<3t zg>oCuE}()8pncj(v57qF=(*WR`dntixd68A z_iv#nT6@kB{@L+y2Dk|6?A4SzI@NRF^3_{8*h`GBALJK8ETHGwI}n6-kYZnx#niP# z=$?%=27lGcb~HM_n&g&@@|D_Ok?s`i?RIXYdD$kXjv*BR>@*F&+a)_YIFN6pzH=t) zjps4igH9gOY2p9^3hlr@Fdi_@F1H-vA0FRigo}`|S$P>JkY;+qjUr}lI%)lmijGcxBhd$lvFd z$*?+a;Hc(iU>DohB7w*UDA;QG=-5$;B^`sUr)7>pQ3(Lq)z1Tqz(~PRu+|a>ffL8vUT<1;N?zfvcOB=^8={0= z^XB560s90)rA;|P&$f#6>8n2~2va1qJ@X---k?qGkijx_Nq9H!{cfK1^eDu_>wqmK$wLuBb!r3ZlG0#6qj+L&D(J z`jhSE_t6Hf`~ip^#66dyqF$(8@ufk(93}0p`SeFIHlIGgYopjM&P1lrUf0njt-7te zz;o*KyKrnYHc?A}(Z|g#8$@fT<)mvh>C4<@)}Tlu7ahp^VF-I;)6fm&Hmo{jT{XB@ z%0Ikd(6E)hoTz)lrO78$LV|EEqE5Xv-LDPh(Q}c|sW!IjygDV7-YxL3ss6lG207@y zPO#o-JWLE_I2(JVkWhQDD?6BBv?S4LLz0Dwl6PHnyfoBeyp{Tj-{R`!xLuJu!b4|Z z5A+dCVx*C2t4h=MP(>7aug-I9t1^40k43B96@G<>SeI3HgGjd-<h(sPqTjqnCUvqpQu=CXCOV@1Yo}w-iOY}nmNzb!ib%9vN3V9u z@LKbx`R?d$-d&8F8S(oSP0rBaM)TD2huf_1e!}c6HJMivMl#8t_6Mj&rc{aE0lCc2 zL#LgH=r$t0J&3Xgk=UWdQtW(Pu82EZ`(B@xei0+=)FvGpJ5_26d_y)u3sKfM!1!B5 zV}=yj?FfJK>%|K>=dBL+nL9|C`$?Cibr^8~orlU!gP4TTr{p$j%W~?XgV+mflfL)!?eaabu&ot#g*Y`K5rXmkaKBCw4xqM?EYxCe-QJfO&V^BjVu>*JRwoN7>~szG+S` zNyu;$eler9g*nT#Y@Xohghso|zZjwd_16IZ)R(55gI_~(BMnEsgo_e;)IB1`0k!ea z#hoogO$aKmSn|tvbxW3U><^v%$8~=!%%K!9ybHXVHhJ=} zPG39bCM{jo{hZ5ow-NVAyKW@b#YWE)4#V59Ab*8AHSebm*7t~7c7@)-?g@W(of}T~ zTvQ|fWyZ5-I8w5F@NVjM-D6pUbrjd``4NnJxPiCWCsJNj^@faSM}OBQ;}waN&;7$N zH0tZYDgC`p9?{@xR`DC(d}z#6qsUc=lUkqcpKqvRXMHElk`vrZuEqZMn{^-smS1eCs z$C0=+$o??qYJlYUF-lrn+TCt{W(#5&^+Fh&c)j^~r0}aA!Kv4xAE=LqQU0xUNhwP) zSGV*Y^*M^T+M6p|S^M;AZcDv+DADgDlTTQj9l;I!H`=9)_>;YD2hfhXz`6W3@}j8c zywPc>iEXM}k5{a9=qF96M}CPD;$Y_9f_|y~a_<{rmJ20tl${2F0{y>4yUfZcu`pPH zDlHv9Sm4VsaMD?Rx}azrs1A-YEpDO;48ziyaGVSDVh7IY!B&T|r-|QQ4Kz;c<^uGZ z3jds@M}<^GTV@%qGk#Qe_bf4{aHp!09Pd+e6M3O}yden3O6w;#A)H)#FiVl3h1 zPo8J7#LsWIk-kdr1P+@Q%Xb?&94K;r)caIAR&o@|l$3N#S%)tiEV^^TR(23+(c}d6 zE`&0+gtOc*&KhJ!HCq*X)p&bvIA4O7=&e5Gu@|u#-L4JPvWK4w$m?Acj0dGv7RfM5 zITtV;F~-!;f&v4Pvg)WuoU-O0LIKgBr*1AvuMQr{$VMR5BS7Y1?aAKmy>T<0cGqHU zyy9|dFGs&x`G91Xrqwx&9xDwnS@cG|dw>IEXNPBOLdB1I5-sl`AIPP2Oniz@Z}mFX z&?EBBq|wQ4aH6^4@Es+uGs*#9hU$j)@$=u)drEjNgPCXbw*0<(!$6ShzZhqe|12( zRvY4b7^KH?0(lZTi$Oz4KhkUU!;_vU@8B6(;WD%%RDu!kJk$geO58kWH z`CS*GR0FZH1jirX0O7&>Qtj48i7F&@_K7P(mGGXTT7Pr!TVioET$frw%WgCJ$taIz z@@)lce4rJ+iJzMY|7b$dbq@RT)|qlc3xNcN zr133M;CCDLqj-AGRdp-M=2jxZb%jv<)1Pe^28=uc73FVV7vVfnKjP6%O3AdZYb7wZ zx>xksxq}wc9K$fK#2Eh7UTXs(8thuUsUe{hx0awtLbStTDVrH+-|?lcVh9Jct1jMf zyfX(vF4?=Gju1Z@zl?HwORYu650k_9ntt(`b#=%R{IC)<+LZKcM<1NH_KW3X{ISpb z&Fre{Ue2l=7k>kr-&z98&+V7~I()RBaNQ}*oh=Ju4L9!<6XHiE-n2?^ll)+bEE{yRHpz>M|p@vt!2Cr5tI8d3sxleA0`3*JH)|%2l?OsQWmjs4WsUiX{0T|9?^ z93^;~;+-T`s%7rDe+dW38~)lK9d2DTx!=x_<&d9PRmOa|L++%+j1JP3zTk{r!w2-N z5=$QlR#8m=+k`)Ku$^YnjD1M2RdpPK)|O(z0m~9gG3aCH89W1?)rkYx=U5={FF2sT z;UGNz^{ih-W81%`s<-&}#Yku8p_K{!{{!FJqh&xS(bRVy()_x-SSaSZR1f(@_} zwxbL?iVyo0vI8JQLsR|g&JE;Fy@=btM$r>rc;#OIt}Ysq*W+nhp|g}bN1N-x@E|~3RA}@%p;2RFzaT@ynP_XSXUIbaJP2!!A(ypezTP8pcK5HS|yh% z;l~KW6}^ew7F`WU!$|6!pRNO3Jw?x8bjMj*B6G53C9gu|@h_dI+)s1^L5W7{!y;rA zJ?Zv?ArbAP$wZ-4vA-_FMGQ%E%13Wq&n?C(OT_VOcAfNj5Oy3Gb`xE9f>Ko_(^~n9 zO11rLJUNk3KU<9}A4|Xb{BCF5JLmfPDcvbE*)T~FsfF9UZ+9I}d33#|-EYds`;A3e z%KsS5eJeGlG17M1Bu|{A?6l9QU-Lr$5Pr_e0?zi zJU+|p7Uaplpf+4^BKU;^zRNhM8dME8Sa8HYu6v8v91MhZ)tZCSn83UOTW5#S7?~gG zeKU)Oauh#WtA?0ZR_g>9QBQ3t97T${Wy-&Hf8o5Z@@CnEnB;3971{cB1%q;>A-QKD zHq~y;a~uckca%n2n$H)QX^xjVuGN~aDA+kIDgv>!F$?;VI3UboWXbVS3mUPf7Tf&3 z^Nxvo9HD@PAP(3p2w-0bL0+CN@fmJ4zq0UE>l(i@dFDq&UmPG&tR}BsJG_@$UiYE% zf#X}!tzDTYuKk_N4W)~0-2z`bPe;DtnG*D-2k5^t6B-Sn)HC{V!0cQ$NP%8A@8fTj zkoIuU%te&tMZpRVuno)rSNcM{`w(JFQ(pEf)+j%5_Wk}uhLR~$qukHD3_UC$#;GgHv1Td(>`uUXp-Yc8RgsUt=70$uIZ|^$5qz7~Xo&t{NUC7Q2Z9oEH4S^;ohsMzQZ3@F9~H z+McUUCR?%4T%&p!rDFc$){nT=X3dOt_4<^t-exSnh8>MXR3{sU^35(zHPu1_z?SC{t5C< zQBFhX_(s(eZxxnczuH}8nG5t7EHster~D^!Gx=w#SL);2)I+a*7VB^TO3w>CorXQn z+g_XQv-Wk1j0lbCW>G9z4Ae7Fh}c|mtYayr<9-Z!y@eWa4p1qyH?+_XY(4bfza|IEFcWin2hS~R_)DDLwXPxkk{~+u*!@4}i8r!QvUAFf=T9ka zy46#!4lt9T^{j(QFFQWt=jq))y!TX49ycUA@Z=bwM0eu@7Gt{47oJ@=qLK<_-}w&3Z^y;ip;Qr#1AD?2YPwl+f|? z;re_So<7vAcJy^haw*ok=Vtvdm^vs2+EGy?);cUF7V1&p=y<(Uv$PF;Z5EVQu|2auM=UL>zVY%U@|-_M}_za~U&=A3x7^8WxW{9hLZ7>qQVs)vuJ zN*?W;7$Mq5p3Fw%a2+vN*EX^E1f93Dfv$_>_IeE(Pb&&=S|0iWyDx%?7&!@oJIDrd z0lBXMa>F93e2lwH&K!}twQ=KM5r(H%GA*<;>sPqUJA@Gh69GE=CpllI=30`onRi#J z2(nFjR@$uWNU2UmDVJX!h?hciQ09vyBO*n-toF>Qo4c$}`WLrOommIZtnP8BWeR!R z^xTx_vz^3<)QkkY@Vvo0!9KD$j2*BK@qXZKswKZl&tYfAFS6G?Ku<7)a_`X1;QXXO z4J|OdR((yQa+*NbHoRlS%0eodnns3K{u!LlQ%3vw$b7U_^3xRdPc;Pk-$`z`JX2)y z>=fzt5&kJz`eyOksFPx%rPKIVWS1?up|yE8JY!WSk-<_2%>ChQke1Q|f+0wYQr2Fb`c8?IXPy}E$(LT~rM0z{wP@RF zO>LywUsy|JCF!@^Pm8h~`{v|jRT03VWXbMCC#P&00^V{ugS*Lv~G6i(fP z@%#Drzt9S~_doMlFO??nLR|D=Krf;tM0#Z8fG(?0rnf@-4WiyJJl66vspDH`1%?__ zEviNJT#FLy*boM^YF9#eYexl}mtZydI}MJRCUdh>?fFxmUX?7>B%Kb#Y%iFkJe;d% zzD(^Non2!D3h`^T^FliwkEb}YmP8%b85@uYJ%KZypJ^VH2Kt^9aW%7XdN#Np#_W#b$IIUL2<{PZTG!eCLump zm;j0p2XHphpwH9JB96)b(|?us<)Z%ldgr-z4|ece8e)Hd-Ak)*?yTA#`_;F9n|ODc5yInqBOPQ^C-1UR@B|OU7!HQN zz>?Pb-SUmbMjQ^$3OGH>1#RGfw&6%9Q|s`-U6L#vY<5gZ)7hy&J(kq0>*zY~TeGXE z)RD+^A&CS}?mRGRgX5^E3QBt~<(>Cxurt-oIH>4p!BJ!5R-m^ znpjY$?o~4Br=MR8SG$jJ!|?RkyK-YZ$^8y`ibpshp#3BV=n-u^_RMS_20r%+J7{Xf z;1mAsCpe(D33MRi6>%VdQWY6Mld9l=02oRW2as9U;s7}^@LnQ5fdp6ELU=LYUT_&N z4iLgXx{eXNT}=!3;NW$3u8V`F1trYw)U^vDPQ3HzVYsm~Ss2(p4!DnPgJF7*IDi9g z`-dl$^Ka+WdVZzpP@oeNW0KvFI@fMEV%!FUuxriJRr)fc^$MnX?|isly3HoZR55*3 zch}WoU%RE^>qwJ@J$H8fv-|kk%HKi5(RPbf;kg+)(IU&`RRG4;3Gt0HyVhuqZNqC@ zYwUJ?P_V_0S??iQ*WIVS?V1^K?aMuTKW0ME=)4|hS%r3m$y`$Qs*<-UXkp-t2Sg9v z!e`fsUc{#z+K`^M`)l8HmX1WiNkS@BO_Vf8*?qM3w6v1lh$Rx(IzP~~(l=J2wUcLX z0FmAS9|oVU#F>#?1omOt{X%?A-+bL_yfUH)&1ok$C@OznO}u=(QhVWG9$;CDzyY1R z(WN;BAB3&#yGL0M%TRG_UETdI zD+%K2Jj3+oK2lK+I`JH5KHk;-lz8I#6cwUb=HcAR3I{3g@{sH*^I&p%Cix?lAckC> zBWN|mQXdD{`$7;Po0uI_vzbG$DAdVJYVGev-9I4GV_0sYYZRPDU2P{+j!}$28qRQC zd9Xq{t=w@RQjdlg7#Lp^4l_p!turlsRnDaNdx8YF416a4@g3y27b2`*S-I$ZMvCX` zj5`lSBF&)IO?!zl>fTfs?hsXHSH9vF{ZBMGUvdQ-6@ ztTbrEm#V>a0E{{Q$W1vH-i@(e0qC_klf-o%e7|+~MP^wu=VyXr&et-1vVY3u#m%nG z&6sT6w{;mf@!`~X>AV-8K~v2tm0FgIvLBwl8x8D&SH1*u?Qio6bSBkf*M^a3XJW^bW$zMB!vFm(ry_%?BZPR#i=5fqXnrFxM3H*MwnD3n` zqE=t_mQirkp?bz0R5X5mIY*N;-uu=hEIZNz~8nU}~sz5x< zfw}b^ydZ)PD)==ccy^x|j7oLznR=)h>(jT*4%y_vR?45jXWy=mIgqARYBmfymM-z$ zQ@OcQ-7@MRjNJ$%`s07fH&r3{29`WtW|b2rc_&j)?%Z^%0onwTJN4@_oJ z=dTe;lm^wQQz>vFbn97^hn2@S88lwT#}Deg3DzsFXpA|qsg3l?KCYTeWxi<2g$!0Z z-~fm^O7r(`be&J`l;8_S^>Y{!$bR9yT>YX;q<9LrFzHT15NGm5T~pVmg>}^hM;tIU zfa!zLPE2*4m?*Z$Bzec~>X5Lrxb$EHx31KwkwzIQHw;b(^UDs|LHDAIP%&G^lSEfY zf3g<33O*aNtZ0%gIzF;mSRUI@^}(8edzSG7%$=3!Bc!vn#qnaF2Nxurcj(#DxsksB%)MWqcx+JMI+(?QtrRZ$#ZLka#= z6e>)^(6fIg@?ur#S(PBoLf%E3z-~laOy_lqnA8n?#li0m_Vox3_$$|*+tLB22d;Z7 z)|S7=qqltMv#2^s-KQB6gE>Scy>b5c)CN{BYd{zI-XfiCT=6S~9LT{XkIQO&_C(IY zgakHCnJRv0y$n%>1o}Al*Otf{HBtCPu!0AK5XN)|Y?I<7tkDq3a(<9&ysrwmg`*jt5jDn7J+fE zcD~-ZP_%Q&K_zN$BE!;+iDMT*EgCHx)4ck_OStaYRcjRj<)3Q+s7=pk{=!aVkJ1jE z8jFp;q}&XuYjXn=#-jAPP5GN@k+7)a3)8WuWyHR3SWA{#3h;@|qd}4hQ_y%Ok~-MD za4M>7ra7KyCNAyuZIxq^n3gi^O`pZ7W?4{-PEDml&b=)nmzv6A zos#AfP1vPO4Or$uE1uy~+Zbm|QT#=Y=UgQ!{^<~hi`Fl~2d_a(ANOg7bU-Kuz@Mgd z4g_iO|7yHRk^AGFpxW}+v+5LTA;`NIlriw(JS415jikA%5b=5Y)UCkQk^St8>sHKy z@rRe^OX8&t%}DuqNGP4jOzBufxkK$Jn<`xc49>|HaOOx{h6H!IsXS=f5Q}5Jlknla zB@+v^I3Yld3A7~~f`RSSo|iIBtTVd)geIu-N?A^SAYTvQJAZ6f7lJTEg{fovXI=O$ z+&S@Fw5=tN%vnhk;etTu_N(mhihTZbJt~o5GUfr8G)=QEO*EEt!o)7#be%RZ4oiRU zn-aD(z`dIF(+Nk6nFfK|)Y7Jj&oGE4FD#*xKeOu5hV#Mwmy-WZpY@uIL9hn~V5!ok(Tm4jCK!pie8uD|v}xi1Dgiqj@CdJ5Krw+)5nH!W5(`vo)?uWe z<6(6yPeb+Mc+3KbWJ)1-qwaal*e>zG&zXkz7cS3){3y?%Pk^mgO}1Y~oio2z?5Fou zU#*E2AK$k6bc7{8f?oG&#nR#cl0MiCn#u}A5mBsHzrov!oxHDsyj?*QD5{-UX$1(` zHDP`}hNic|V~u&$)#LS$sG&0mnRDlbNH7ji^jMkG0hGM9y{LwqxU26SJ`h8Ww76*KI-wlGTnN@M8*A3o&p-HT~0R*4H_k| zm^w*nxJI~RdgD#jfb8>bN|MDd*H6?*eC8C9jfp2SJeIZh@4S7+84_a+${?MGQ!V0v zV1#Hv<}}2{Zv4a>ndQTVxS#SuT#JN=EpZ7-f{_D5jKgFaPH7GEeYF6JcU{vHoF2?v6FR1BNZqi-B5=ie z-3KvcVgsFpk&6}Sm^KaKcD!JKB`>^bnH_ZD4(c7}bM#5WKBB|(_JWu`3;5b3?0iLC zd!`ja&W^{!8BY3T;te0p;jRR|sz;@4Jy_W#G~Cq@n;VpP@>vFpXXfz^$?40qw+MS= z$esOT)2h^0mxP`UhQ_Mi+@;jMx%8oZM?G{-Z>Ta# zvSU_8U%|@V(P>3@QF-N^V%8ivk(??cmlRY&nmQv(0q{+H2UnEv6u;IsB!<|Tp6E|5 zwWu^uTsrUF^CG!dltB!Lb5<6Mm>8a*(T~UH@7m>yrQ;i@qsOvorWzZ;t0)6 z7>AS?wHka-ts;<}P*>Sp9bs92>Uhxf@o}M;Wg-a?$pM-9Mkl%3Cm6a=Zm0cpN(*W$%Pk@mgoo zQ}C64O3O>kF8AWnN3Re3)V%q%RwMX0%$LVwcTA*X`R`8k=ynwwxnY3suAf_ z&mC=nL}>j`K;P`7$c&xXH9bF(sJ`RsN!Xq0Xcav9lA*^L>)=68eWq1SY+H{@qaDEd^X+n?=_ew}*ADKjC51|hTWvMh6UO&W-VPg+<=`_F zA5s4CJECVQh#|V>vt+L5@d!LCRjWGi-j6tWu{J=e=o!LuLdVCdmcSxi-&3!jqF zTya6Dmcm}oh*Vx;SLR$AUCLY1TikCC1~%*n?=q7($uT4^&QZ?HZc+I=t!rrz5{n}q zcCNI`o0o2}u|(bcQF*SA3KVXQDZw!g{cAd#D$l*Xy<45vX;a zXVcCBqa;F|ycj5;+tMnoqK^5VyyDyn-!J(L&w8e_a$}^jAyNtI)5s}_jknJE5DI?O z4B4*4FO8@oFb2Qp&te0A7`UlCub|bLd8Ps?((|>@naa{4<+vGr+!td1oTsN`=k%8D z_MZqZxxcd%0Pxd`@kz!iO5p(XrbA^pDstgGhR)O{Xmfr8T~g5@aO;q4HD=-EtNBnO zTHy>oJ%+!X{96p8H`^z7oNkAFdhu!ELj+7Apd~)CPBu38wzYlxqMC(-mio?(P(<^N z4JXKgXD-4q$N!UvgE=-TpDP8sg@;3U7-c+`4sN|aBY>Zzw%iu6E$J1Oj2V!JIdzZLOo+ZmOB7H{T$P4nmzQv2jD+i zrNKt>bdbQ*KR>@36+yOO^ALiZhKQ6nQ(+$C@n*Qw%Wo0O2>VzmC4Q*)yF}wFq$~@y zBv~TqOAP1W2#=!DH{ZTo+<;z?*C6X23GZ-r$BvhLaBHKMXn$Ta=(skJLg@x+e2oJn zhsqrX`3y>{;)fF4X%>v`Y}t^^zlQMqG6K=aoRz7U-}vaY{c~$0Bju!Y`v`WgZa*W} zCSPi*>mA2lc=uYVl2c`CL}VCmo|M#pMe}I6Wm`am#suY*U4ge5kh#T zdpY^T?$Ii(gV!@DvK&?jb=W>Q#Ir64W?rb&*uTPgtl`qSDH$;yVtCanB!0(1@M~!2 z*INhE@T>OO5Z1YG=Vew(qvnt-n1T#%pR}MiQQgjV+>@f)ZD}8`o_<#mzu*y6^EcEC z+&g8L8Cu_`e4K;G{n~kYS+f4gzd!op?jK0y$^&FrXi+v#BF1-Me8c?=5i8M8yJ*b^ zM%_{4iGNXaVpxJyD2ANOks$1mUtf-t-d|(oh$n|2=b`ETw=I2O3hJ~dJ?&v*0rd0w zj@&w4x`XO@7YI3Uh68@eN??DXxE61iJ)kI38#MZGK!mv@^HT`al7|8<*upBJOwqf1 zL$ic0Go#Cv)-co$@ehB1e-IwHq-xv#@fxx607z(=@&^ z;B_C66&9QKb)^D6I1w$mQ|GYwWwa5t^AQm)VlGW#WpF@sGM;(%-eJLKH=@wrkoyrV zJm8k9&)g$x&iDeOICaP@UtrPYHqlgv>1pLM`776AC+2zH#Hj(+K6CBkvSj;X9VK4R zKT{>`uMykPD1ds=fWvAN5h@4=Eb2u$dG^_+lq5NeZoF^CGt{Ai>w?iz1ksCy7)4|o zlos>iQ|-BE41O>)Iz7s^S&a=d{%ivW$d6&9KAj75p&tH@l2m?|qZw8{2w6?lvj}L} z5{^BnXQ&Q$$pr2LOqXh)(V5T?$!LN_ePKLJ!dNkns+?D`ie_q%qfp*v(2>8RB294W zpx$XnhXlX%G+`H9HGUXSoFU!L9*=**3O8X}la21BLsR1eg<3)^R&QwQR3X51f2)IP z9>myny5D_bAbfe+Jjmnb{=;LE>aPwPs*ngQanhhVo_c3ZEhYK2lGwBtCydr0;W$_N z#zrubES;`N3Oe~^hAf6oPJ_0o9xugI9pl}W&lSSl$caF~HLFIB-uC4hTxro&`)WsX z*eeswe}=U2*g?pF76-nTMcQ=41@l5V zU&k-hpvz)`^vcfR0EH4Cy&baO=kupAp?Do1hppKObu|tca(Kw<59maoI))yDn6e(v z-)W=|lpTsVmp&3fCYT)<#A7?~DRC}6!O89LzPbyZF$+`s$Q&O(hl8}b`%9(aZHWx|904tw8H+L%BVEh*XGLxA~1J*VJkv&U3|^ z_|*|d6)(Q@vS5dwgbzD9u^0H|{0yd%$nz&c8`n+qBcbKJgSBkYLc*xLEmJb%_-6A$ zm3|ksa@+Cz#CR!Zl%XG<0!5bLfF``UryUPwDb&sIS)(ZUbfXDXxM-V??Q4MyRG!jo zF+fr>(idRwQ^&K4NOPlyo@>-hGLvwymF$@Y+bxxtd9_rv5#TF+11R`=lrUC44_i}x z$gsf(-BLfVoC|Fo&Sf)nRRMuhEsA&$D%)OW`=9NbrmOI7LxUQ^dud0}MUV6OJPwF* z*U{7C^k>t9yMp@r=N=)S?`9Q{^6SzuYXvFXTstgnH*#BTsBUdKxTb!p<`)3oO!}4| zmlW2NG@AZIdc@nCv-pQ-dos^3oT82hIW+VM;aAg{SM#-R&!Z;(tog)fMDP+_Eo~%oMprp_^4to&nMjin_GdB%n0wjboS!P+=y22OQ$F3+eC{brOk&Q z^~uh>sHh4%)x68etzF+FV)j$mc_@o{#rrO%&%^H>*mh)>y(6G&5+WF}h#?e1bCzWk z@k1_=psp`L>mws~Q_m~83TB5MZYX%s3ohv~nWw_|-aY%`$l!z@OP*k2Lt{ao!4|x} zFy_sfNAajSy{!!+9PAJRdHc)<&89T(FxW+$okTjR@`5+XN7C_7X(n*|?TS*&v{|Qr zv5E2KM{zqvX3O~;N^0z<5;H0$&%0K`&Y9QhUR*44ZhibfL&92@!J|$w#dpzn)SDU3 z$<%eqg^t+SsYrPDHj`kTm^b)xXhN;Sp=Y2-(3f^k9)Y*g_kPiw{C4f=oA!f!jIgiq z!)IL=9hF00xt-*W7j6FUjrajZDi+eTPH2fQO@w&RYmk8dVhiX$cGZ(p0RI1YtnX6@ zVTHpS{p^KOYxf-=;Hi@YdbWRL*vMADo>J5S;0K z&q!RFy^UW~5sd?|b*cM@bMu|>Bb&-N$aPa_L84xTqr|a^E`>-J^`sZ5B_|HTlVie{ zj8O^TlR=(29aH`!DeRCvgh1`jwq-;lX3faQ(2$=Kr)5`NLvree@IkJ5I#Lrp;gc#g zB~5y-E1HOvT!1K$2AmGoH`{imHQF2pA@^J(KdH+N%$mUuMEdnqxiIeq17UlCUoK+c z&d4BE$o1KD16}RLty%SQv$eB{7LOd2mZ<=NKJeBdFDkoV95#%dfMlEHL79)Z_Gkvq z#+_0icTx)Ed_nqYoPNTH32=1UeS;Pe{^!fQ5f< z4nZ55))2LYpLO(v3RrVtXRvq-d8^7no!hJ=B>p_CEo)W5JnG{v`x! ztSplJ@Dq4xQQ)-m5cYBeyfo=B)fL2yY0~caGun|C!_qoaKn98N(+W9wfq1|A0(b@4 z8^lj)Xu_ZW%5n1lWsH{2YlY$+T;`dYnVCmZW1RN=w+wKY(pAmGq4{b<6Q2TKR207)U*Y}rhqqwk zG$CIPJ^Xd|R=B|$f<|LQWbO*8H7(gbbp86|NfDXCrFb^nk{elcce7ZC$}M@8QhDXD z*eVX8;U*gQ5bX_0_f80r+vL4oad*rVU6cCsuxb>ene+2jzwR!O$3G{ixs^e)mbzl@ zFHlzZ^m|FOMfa^2(dndpevn9AacMDsZh$pQY4IVpGIAlEk89YmCp%8gNzpIf)XJD6 z-Babs2JaTk=*oDN07~F_-H#E`nIx~Mlj5kcWWqx+f`{J_7Oiii#;OCQd2e`*M z&V0ox#uuSTzQh6h1(_EyTUdLOvv2)r zoUR{!dDSjMSM5t2un|8&eso26{3AE(WdLxESZwgz-%>)Be7~r=lC1gmR&8YX)hU?{ z|LZ&XTMt2kbJzjIXJI;3uGrJHm%tRYvIO?nepThHAXg{@o=4wJ;_B_A6<;r(!5pL~* z+jsdiO*=%Rfg2@;nUtEwt3Uq_Y!9(gcm=OB9V%!~wGLFDe*XqD_l!J^i;KguiKR;Y z;ITuxC|W3)RzjCGCX21jjd$m2pKoVdQ<$Jn>4d4lc9>3xOSIAz*r^ekZIlWmJfvI6 zDtfB?!(ZkRLe>A>dDqf0Th8=zLt+nEO1wB_0|%7y;e|a4dFT=Bj&D;icv%v%6^WM` z$J${la6rA$@Wk2l6l(6)4!x!kn?%XN+!;mQ`PUz^G{>q(u>1Ran2?c+5mP7$Iv1@c zV)ht?kBgX?)8Q`j&^Td*zdL;U1?oDBesbqr0(6jO!(?K^7#6&6aFk{q zU1)TOmysE6Zr+bw$-2D!<`urU>_PeaTFC#Y{|`tf5-aM-L}Z>(h@-nExXyEGF@>k$ zu%(7E>9ha}RR!8dBu}aHkl^7;4BuB1i20m7qcYophU3E7>k0AcNj$UBQjUjjWN^sZ zBzO;BwTbejpfWHYerL2gHtDh6WL9%*dMmPYdO4Xt()5Sf#_6XMMlE}>eM5!Q6_-pj z_1ZqmcyjojB~;T$$`TuHk?~l5G^PP^6;t$V>RHYHSEz6PY+>#aEY?2j&CQIG&P+T) zgLCMQMrNr_b{lGqq4|=xPOp!|mFOY3d^#02Pa%1;Mk4~tBO=@a9Opx#%Ezpoi^6&h zYJZ)Dkf3!%JkT%I7C|(!3H53_X}(oc(PHdip|xX7frjZgb&Lrd_WaN+Lca9k^O#c_ z_*u*{4j}I318dX_?=fzUwfxGAR+J+tV;D8q5|iu?FD^kme5|{W{PM+%)$*p_UlH5M zb#F9(Sc%M$-SuuK24xpF_Z<^`L;XU>4o!Pe@7XEgw5!@wns*iQc#9kZhq~}A+Fyt~ zOvOkr0SZ_Y)^j`62IJ4?$4t`-PTq7``$se%#W7b~*HBIug2T7wlJU25lcFnV$mRi8 zPL^4(MfMlp%%vGZ2?$|dlTx_*DTTlmbju{rh3!%rojQTIRlN9K7ihs`e?$L8ZeLjN z0Vaes1TW#qH^+w-lDo)D&H}AHAk1;P-aY``&rS~uDS?iLTpz|SkpJ64z5kvV@4xbNJ$8*&;-m;*wLxWmhqo>1>y7ir$so@O^wn# z+2T8*Qj{RG{a@{UWl)^m)@9?t2?5fOFLHLb}yW$lz4^4z015S%e)F?qC!d}G2CulakK|Thxgz2+( ztebD+c&BAt>n4T_@O3$;%O)ZF9i)}5A^NJgm_{w?SEXy|82EGX{Q700s~{Xr*nPt& z7D%n*s*c8nY6`RIUn$)c$t6nH?tL3_ERwLenh@$c&0DYlZy&CNjW-X0-?!=b^-^gf zNwrcycUR!4PqDHcGnG_<7N-aIHX!-yzX25&1pCRVQQnm1Jb7v`c6~9#>jaNe613-nH8Qgbv)LO6*_^PUKMzoCFAiJ>+dnl zt>lh6N@k{T+s@i-I-=sz}xBWL|^T9P1dDm2&;Od7r zH#gvwcW3K&>H~Ke8xx@0PvDQYtH|Z{4}UsJ-lgl1DB8IwviBP7RSFoPSDzBL+HYbd z>7uWuKWsKc+I@okBKfC$vwRQ}`uwb(#u7+;YdA}lG;{kDre7?w)Som`R&^sY+i*#LD%7>jsX@72-n!38h7y z{1Q9x=Gd{C+QLVe)Bfm*!z-PVCoy?Ja9LNu*l8)TAJ8XHSpCaBc{WEfGMM_Ywi@ZT z6^9h%vu6TIxC)biTCv<@Q`LVf4*sMa{{~MF-G?74tGxE{8@RY4nW(e|q<9F$B|j~5Y0kAsjKmTVoz!~}!R<1zL^PawzZM z>dfln(d*ST+7rL(+xx(?4LeLytaEE+_0yGlf?9rrF^pAsPqlO6D%zY9H%t; zZ20AD-Y|gb^+&-zwC&g~58VXoW>eBc1cAQo5zr-*9czky?cO#FpEcS#`Khr}m*9%k zicg=CvG-j`vFsW#E}gQ!wD>{LOf1EN@{#)IajP4V`egnXvBvYl=IcCmc2FO}(u&*J zW%iu*BdBkyn4oAO? z!cuPu5k!Ju`KR?L`bdY@-zuMIiB6d!<)0q%P=J8*9?>CKCoWRI#w0axZ~v9x^Jk4t z$4t3bldiMe+2Rzd8SI?A+(G{rAVK`BOy`U5sdeJ#cxI9F2c2i(iF=69P3IC%nwp+4 zH%g@&cC12dK5R1Cjr%IbF?l7%4)lx-(asINzwF3$niJSrBlA;AQ;zEKIPp>w#89!y zTh!N@5&riAWJ`BN#wi;z=Cx$lkht`6KRDh};>_FGc;t9L8UWDeN%x9Wr&hAY0Fwc2 zQIrrhJhr7!Exlw%k+jiMcm-{|Lo#%~#TRz_iOtv;PIad^QT;4R>y?<&{8ddigISuThT=0E? z;-=1j$l%ODlFMn7-u>9}A&%Sl2(ME2P!37NKa>mqoASZ)bFTf7iAlv~j}fGHsbny< zC#vZxE10_7Ac*>!^oFTL;p|oFZT1;^(8yNcA(z?L?7*f9}Kl6!U^D>OMcYGkBiQI#QYsSqWVPNxUC%Bg0~yBpuJZsDkX!UbB6);imSjAQmTRW zmUNj*#fLbJMa)y`kK@XaUtp!oY}+!mWcoJ)c5HY|=)xQyQc-L-kH`wjw8wUTPc5=s zClu{ed!T>{@mME(6DQcDffxAPZ}eTXaB96HPQ<9{Y2Vb>a&ks{3qp)UuXOa71UD=I z&`ea95jOMlpsLKF1B5ncHG|pdJwX(S?PRfI)qZL_e=+0TFn_rJ zK%+qrWsGVWfhN>zD!5o`QWvF%sHbN{x#h>9(51y1k4mqPsw7KAdq_PZefaom0S~wN z-Q5Zw7_}{3Gl-}6-0g79+37N!xtf?a*Bw0o!C;6x{jn|1dvbQR@G)hKaW+PxqoaqK zMm$gbczD25xrkOLTSC`&*Ybe}&`V3YcPY)|hJar%u8%E8(!b~l5OWE0;=E5-qn+2W z2*~Z_dW}3WGNbathVj?AvIJlCr}agb3Ew7FC#5+mQYvq$RFm~Ykt^W0dSbRl(g!awvaA{}b;^pUqP$&&I9HP2YqAuOSSF5+C7S*Fm81F@~l@%K0Kp5{e)#tYrj z6VtrCaWX4Rqi)5MaaNb_KpAMiMxqVCYhlXa?^#Tp?MD=I4@X>S)wk0%X{|0l(1v={ zzOxRxw{#EkvY%9J_y25uQ7Q4$q1v}Qm!4^+qn~@DqA&lygw!XSb%Ii7PNV%Osgs0BOdRpwZ{Q=ySykn`L{eHbk+5R*y8 zQhbnr|NK_S^2qt~E~a1sX>I$jM*hL%NAVkqi!xAWEbPY&{^I*F4x8I=eo0VYMBe@j4sUtDU_B!ZOoR}Kjz z80fIr5M8g!FJH9O{)=qS=^QFU_rNFqIE=0p`Y9qcU6XM?eIj%0db7H=brtu{#Be{b^LjUMB4 zOYVK(Y;W#@DUqc&+`S?A%$9Q@k5*$TMc-dsV;Q!&;Wa@L-C-}8-&=kckd2H99H5;u z>FmX?tZ;e4G*Ov0%Co%70aeajmlI5w#97jYYm{I13viXyOqJJvtzxN1=;ybkEE)4L zA0`59vohFM+-J^(4bjXAwQT6T$XtPywHHQ#&oe#A6efPokT`q-TsL+slJfx@uFkrJ zomgK}12~>MS9v5^6gon;L@tjdPIC-O8($E;Uf)8 z>aQ7&=t3_`hgf{}G(wN;7v2iOcIy$JQu(~CHPjB))XXuHf8nm+R0X$O+z7+oVLWj*cK{h zteoYLh)X$_KDUauhaN)VP{`Vv_^IkR~k>^`KIdhsqg7_+BF%IE7EgJ5cJ0QI@t0Ph_X3 z(r;7qpXPc#StvI=(+^t`{TQJTUCX!qh!Yw=jz>R(G5+l$QQMV_4y5LYZCS#S0=G+( zfjQHAD3UZgz+nIC-IYAG!?4vyEI+~@587;jLE z-&=IvM;YwEb=O2sKxADdHH}G2d}5LY5rO!0yEN^X{cFq5!kBAQ*X_bb%Qef3qmY?8 zunb&rwwNMmzZ@bSBg5AA3(v~kiJ=XSh}H6fP#EH4^S$f3*_x*NF+km-NMXkcVW-s^ zyN+2;5N8>(zPGf5ji5Ylnk7|+z6i6RvFYdjjFvBSd0n;H$TuL;>xffPi%(?VYDjDV z$n^e(Wwj~C4)pUZA+8S3Zf=;bAcT>eKWZf_a1`L)q8BYp^XJE5uBG9ZUSl)A_EapI%STA;hl@+Oku;vkF4KpMVmnRfL%$cS1Xy3^(*&B zy~^_J9q&haA^9I^YlY!-Yg-KR$H2ZQ{$h@w%XBT+IrH&EA@vQrJ;8#i6r5FT!6~7M z7ZW%w|I<_{!2oII2fnt-@VUwI{pB$#*w+Xmb`5jV3HJ-#r2ovg=I`ibe-o|zzj{)p zyXWj6^d5{05gD$qXFjVWH)$gtB$-=}Q2@Q^v;WrxlN4SCZ0T~-n=SQ5lJ6R$3mP>; z36mbl{*nr!d|mv#W}GCvsLvaUNXB=j9`Pt*`okvJ^}BI61yH`!n5y45#lS5vcl5s} z`PPT897b9Ryq|`64$w@0K2=Hnm35js-^e&H(-en^KHC$t`Ca0*)~=yQa(RFJZkluE zF~o-nB~u&zG>1=27zzW7C(2H4HXs@jm1_L`EmN2ry*Tdw23T1VUT9@LP;v}!k}!!+ zWjfZCcS(Qi+u!A$*~DyF$azbF0SSDl+#I90J}1 zBfkoE%~vC4_)$u(ccg42i9o4)*NU6iT7{+zg^QO7=h*||xl~&zh&+dqnXcA$nOSW6 z;avHEGq!+Kygap3%JOgyRae*0VQ8NU`rDc(y~+lqK2!*d`3Cf-kHB%Pm%p-9D=dqP zOZy3RE?n8dhYcLnJ%a?4 zzmU^^rhMsU64z5r+MkuUVnsfVG}owU5+}+7;xQjfJ8V*5yx5Vj@AN+@TBI2;iFV(p zN*ReVYZQP;YN_V!B$EMIr=2$5_Ex7X<8W=33|HRkpYX%VDXZ7OQ3>Qyt8Ys?UhJ8p zDftbU8>RiT$5TVl0!`F^LQ*yMiQ;u}@*ZV6So9$;Xx~nBKHhIife^5Pm^0`x@ZOk2 zQ(z2T=;^2Z254qs&;AB9@=#52q-|R~NfM+YW*7u~$5;%qKJcR)&fc5Mdm7Mrp&m5l zjz(63e9{N5O(EbF8m`&m98yu+pU2A%?|KP4d*wAeoyyS2Yy=wfZbFky`Vclt`eNcQU+8@#E+MtNhx?CZQ``%!pV)3 zgpUqj%4s&p>KB#Gf`{Vkpo16^j+Sj$759w=9C{V`OyycduRd{DV~0cL3q?tM2bvHw z%nqWB^ZYKPftUJujVI{a^Xle6r30(Zsi1jKLz{0SlRjm>MyUX%@)vn4YdqO_LqqJz zCHrL|IFI_ZvY-djw5CTQhroTB5u?vXTLUlIZt;14Al%S1FIfFc7y0{8g)-hk;_W-E*Mbjz^+}(wn=F#eEgAnSeP5J7F^k$sl)>y1kwU{0c7%ODp zSG7wjzGp2ng2p>nZcUsgig#M7j48MPQbF^VA=oK4j4rJ0G#WEJUaf4cZOJ2{_ptZ5 zm6*{(5fhXc0k}%S86Dh{i!)2F|g+ z5%z3cPV2dDcXxL`326bqjcU@N@i)MxVRG+D$FvKtvXKLom=QiT2cKp0Vi_Z^-1;`N zh#J4HmZ}<&x>*OK^HZwYgbfq!eSUY2lSZz9JrPSc4Q+HgRcby@$6p2M|9vB2QS}FH z6(L=|`6R4*dm@Y-E3EOutCWN$V22t8*EDtZzNHYLSQud&UF8sD{6q|$0S>8*rKDIO&oW!0C3fqAv3HF zeH{jrp~=uWMA<|YYZuTjuT-QEG-{@6Pk7~8V^G5e?QNAXj!kVN`zniv zL-aksNX;&=$dZj}my7s!u7*z`V(FQ9S`38K3fF=o&@5A=ueG*2^%o#xK=CpeMk|Qf zR%)wmb;4WUb!*1iD_WKZzBT1;ANV>Er98BS#{@|Vp)ujBU=^SNjz5h?E6I8;e6)Of z7h~UbEY}KOE7-Vz7;F-Z;PK2ntyt_b%c<4_SZU#HENc`JBTUKuN6^MS8x5!P7h{+V zO4`S6`ee=PMTL_x^qz$mYW|M5yocA+>w}0{>>ipo_8k;_5|1dE2&tnt@d;GuLTln- zza0Mlmisrr(Eoat_ODn+|Fbp!C9S3ZS#RjS{Llp~rib&4la_>qJHf7UWHQMyaZa>W zq94)qxsUz8i`i6`+2^yRebzQ}d*CT6$40%V-+<~41JaA6vKb8=;O4CA?9_<0P2( ["wazuh.indexer:9200"] - user => "${INDEXER_USERNAME}" - password => "${INDEXER_PASSWORD}" - ssl => true - ca_file => "/usr/share/logstash/root-ca.pem" - index => "wazuh-alerts-4.x-*" - query => '{ - "query": { - "range": { - "@timestamp": { - "gt": "now-5m" - } - } - } - }' - schedule => "*/5 * * * *" - } -} - -output { - stdout { - id => "output.stdout" - codec => json_lines - } - s3 { - id => "output.s3" - access_key_id => "${AWS_ACCESS_KEY_ID}" - bucket => "${S3_BUCKET_RAW}" - codec => "json_lines" - encoding => "gzip" - endpoint => "${AWS_ENDPOINT}" - prefix => "%{+YYYY}%{+MM}%{+dd}" - region => "${AWS_REGION}" - retry_count => 0 - secret_access_key => "${AWS_SECRET_ACCESS_KEY}" - server_side_encryption => true - server_side_encryption_algorithm => "AES256" - time_file => 5 - validate_credentials_on_root_bucket => false - additional_settings => { - "force_path_style" => true - } - } - file { - id => "output.file" - path => "/usr/share/logstash/logs/indexer-to-file-%{+YYYY-MM-dd-HH}.log" - file_mode => 0644 - codec => json_lines - flush_interval => 30 - } -} diff --git a/integrations/amazon-security-lake/logstash/setup.sh b/integrations/amazon-security-lake/logstash/setup.sh deleted file mode 100644 index 9527f1fa58362..0000000000000 --- a/integrations/amazon-security-lake/logstash/setup.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/bash - -# This script creates and configures a keystore for Logstash to store -# indexer's credentials. NOTE: works only for dockerized logstash. -# Source: https://www.elastic.co/guide/en/logstash/current/keystore.html - -# Create keystore -/usr/share/logstash/bin/logstash-keystore create --path.settings /etc/logstash -echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_USERNAME --path.settings /etc/logstash -echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_PASSWORD --path.settings /etc/logstash diff --git a/integrations/amazon-security-lake/requirements.aws.txt b/integrations/amazon-security-lake/requirements.aws.txt deleted file mode 100644 index ea911617dede4..0000000000000 --- a/integrations/amazon-security-lake/requirements.aws.txt +++ /dev/null @@ -1,2 +0,0 @@ -pyarrow>=10.0.1 -pydantic>=2.6.1 \ No newline at end of file diff --git a/integrations/amazon-security-lake/requirements.txt b/integrations/amazon-security-lake/requirements.txt deleted file mode 100644 index 7d14ea9fb1b10..0000000000000 --- a/integrations/amazon-security-lake/requirements.txt +++ /dev/null @@ -1,4 +0,0 @@ -pyarrow>=10.0.1 -parquet-tools>=0.2.15 -pydantic>=2.6.1 -boto3==1.34.46 \ No newline at end of file diff --git a/integrations/amazon-security-lake/src/lambda_function.py b/integrations/amazon-security-lake/src/lambda_function.py deleted file mode 100644 index e56caa4bf6426..0000000000000 --- a/integrations/amazon-security-lake/src/lambda_function.py +++ /dev/null @@ -1,185 +0,0 @@ -import logging -import os -import urllib.parse -import json -import gzip -import boto3 -import pyarrow as pa -import pyarrow.parquet as pq -from botocore.exceptions import ClientError -import wazuh_ocsf_converter - -logger = logging.getLogger() -logger.setLevel("INFO") - -# Initialize boto3 client outside the handler -if os.environ.get('IS_DEV'): - s3_client = boto3.client( - service_name='s3', - aws_access_key_id=os.environ.get('AWS_ACCESS_KEY_ID'), - aws_secret_access_key=os.environ.get('AWS_SECRET_ACCESS_KEY'), - region_name=os.environ.get('REGION'), - endpoint_url=os.environ.get('AWS_ENDPOINT'), - ) -else: - s3_client = boto3.client('s3') - - -def get_events(bucket: str, key: str) -> list: - """ - Retrieve events from S3 object. - """ - logger.info(f"Reading {key}.") - try: - response = s3_client.get_object(Bucket=bucket, Key=key) - data = gzip.decompress(response['Body'].read()).decode('utf-8') - return data.splitlines() - except ClientError as e: - logger.error( - f"Failed to read S3 object {key} from bucket {bucket}: {e}") - return [] - - -def write_parquet_file(ocsf_events: list, filename: str) -> None: - """ - Write OCSF events to a Parquet file. - """ - table = pa.Table.from_pylist(ocsf_events) - pq.write_table(table, filename, compression='ZSTD') - - -def upload_to_s3(bucket: str, key: str, filename: str) -> bool: - """ - Upload a file to S3 bucket. - """ - logger.info(f"Uploading data to {bucket}.") - try: - with open(filename, 'rb') as data: - s3_client.put_object(Bucket=bucket, Key=key, Body=data) - return True - except ClientError as e: - logger.error( - f"Failed to upload file {filename} to bucket {bucket}: {e}") - return False - - -def exit_on_error(error_message): - """ - Print error message and exit with non-zero status code. - Args: - error_message (str): Error message to display. - """ - print(f"Error: {error_message}") - exit(1) - - -def check_environment_variables(variables): - """ - Check if required environment variables are set. - Args: - variables (list): List of required environment variable names. - Returns: - bool: True if all required environment variables are set, False otherwise. - """ - missing_variables = [var for var in variables if not os.environ.get(var)] - if missing_variables: - error_message = f"The following environment variables are not set: {', '.join(missing_variables)}" - exit_on_error(error_message) - return False - return True - - -def get_full_key(src_location: str, account_id: str, region: str, key: str, format: str) -> str: - """ - Constructs a full S3 key path for storing a Parquet file based on event metadata. - - Args: - src_location (str): Source location identifier. - account_id (str): AWS account ID associated with the event. - region (str): AWS region where the event occurred. - key (str): Event key containing metadata information. - format (str): File extension. - - Returns: - str: Full S3 key path for storing the Parquet file. - - Example: - If key is '20240417_ls.s3.0055f22e-200e-4259-b865-8ccea05812be.2024-04-17T15.45.part29.txt', - this function will return: - 'ext/src_location/region=region/accountId=account_id/eventDay=20240417/0055f22e200e4259b8658ccea05812be.parquet' - """ - # Extract event day from the key (first 8 characters) - event_day = key[:8] - - # Extract filename (UUID) from the key and remove hyphens - filename_parts = key.split('.') - filename = ''.join(filename_parts[2].split('-')) - - # Construct the full S3 key path for storing the file - key = ( - f'ext/{src_location}/region={region}/accountId={account_id}/eventDay={event_day}/{filename}.{format}' - ) - - return key - - -def lambda_handler(event, context): - - # Define required environment variables - required_variables = ['AWS_BUCKET', 'SOURCE_LOCATION', 'ACCOUNT_ID', 'REGION'] - - # Check if all required environment variables are set - if not check_environment_variables(required_variables): - return - - # Retrieve environment variables - dst_bucket = os.environ['AWS_BUCKET'] - src_location = os.environ['SOURCE_LOCATION'] - account_id = os.environ['ACCOUNT_ID'] - region = os.environ['REGION'] - ocsf_bucket = os.environ.get('S3_BUCKET_OCSF') - ocsf_class = os.environ.get('OCSF_CLASS', 'SECURITY_FINDING') - - # Extract bucket and key from S3 event - src_bucket = event['Records'][0]['s3']['bucket']['name'] - key = urllib.parse.unquote_plus( - event['Records'][0]['s3']['object']['key'], encoding='utf-8') - logger.info(f"Lambda function invoked due to {key}.") - logger.info( - f"Source bucket name is {src_bucket}. Destination bucket is {dst_bucket}.") - - # Read events from source S3 bucket - raw_events = get_events(src_bucket, key) - if not raw_events: - return - - # Transform events to OCSF format - ocsf_events = wazuh_ocsf_converter.transform_events(raw_events, ocsf_class) - - # Upload event in OCSF format - ocsf_upload_success = False - if ocsf_bucket is not None: - tmp_filename = '/tmp/tmp.json' - with open(tmp_filename, "w") as fd: - fd.write(json.dumps(ocsf_events)) - ocsf_key = get_full_key(src_location, account_id, region, key, 'json') - ocsf_upload_success = upload_to_s3(ocsf_bucket, ocsf_key, tmp_filename) - - # Write OCSF events to Parquet file - tmp_filename = '/tmp/tmp.parquet' - write_parquet_file(ocsf_events, tmp_filename) - - # Upload Parquet file to destination S3 bucket - parquet_key = get_full_key(src_location, account_id, region, key, 'parquet') - upload_success = upload_to_s3(dst_bucket, parquet_key, tmp_filename) - - # Clean up temporary file - os.remove(tmp_filename) - - # Prepare response - response = { - 'size': len(raw_events), - 'upload_success': upload_success, - 'ocsf_upload_success': ocsf_upload_success - } - return json.dumps(response) diff --git a/integrations/amazon-security-lake/src/models/__init__.py b/integrations/amazon-security-lake/src/models/__init__.py deleted file mode 100644 index 8dc7d9f3af00b..0000000000000 --- a/integrations/amazon-security-lake/src/models/__init__.py +++ /dev/null @@ -1,2 +0,0 @@ -import models.wazuh -import models.ocsf diff --git a/integrations/amazon-security-lake/src/models/ocsf.py b/integrations/amazon-security-lake/src/models/ocsf.py deleted file mode 100644 index 63ab7fc7102a5..0000000000000 --- a/integrations/amazon-security-lake/src/models/ocsf.py +++ /dev/null @@ -1,104 +0,0 @@ -import pydantic -import typing -import abc - - -class AnalyticInfo(pydantic.BaseModel): - category: str - name: str - type_id: int = 1 - uid: str - - -# Deprecated since v1.1.0. Use AnalyticInfo instead. -class Analytic(pydantic.BaseModel): - category: str - name: str - type: str = "Rule" - type_id: int = 1 - uid: str - - -class TechniqueInfo(pydantic.BaseModel): - name: str - uid: str - - -class AttackInfo(pydantic.BaseModel): - tactic: TechniqueInfo - technique: TechniqueInfo - version: str = "v13.1" - - -class FindingInfo(pydantic.BaseModel): - analytic: AnalyticInfo - attacks: typing.List[AttackInfo] - title: str - types: typing.List[str] - uid: str - - -# Deprecated since v1.1.0. Use FindingInfo instead. -class Finding(pydantic.BaseModel): - title: str - types: typing.List[str] - uid: str - - -class ProductInfo(pydantic.BaseModel): - name: str - lang: str - vendor_name: str - - -class Metadata(pydantic.BaseModel): - log_name: str = "Security events" - log_provider: str = "Wazuh" - product: ProductInfo = ProductInfo( - name="Wazuh", - lang="en", - vendor_name="Wazuh, Inc,." - ) - version: str = "1.1.0" - - -class Resource(pydantic.BaseModel): - name: str - uid: str - - -class FindingABC(pydantic.BaseModel, abc.ABC): - activity_id: int = 1 - category_name: str = "Findings" - category_uid: int = 2 - class_name: str - class_uid: int - count: int - message: str - metadata: Metadata = Metadata() - raw_data: str - resources: typing.List[Resource] - risk_score: int - severity_id: int - status_id: int = 99 - time: int - type_uid: int - unmapped: typing.Dict[str, typing.List[str]] = pydantic.Field() - - -class DetectionFinding(FindingABC): - class_name: str = "Detection Finding" - class_uid: int = 2004 - finding_info: FindingInfo - type_uid: int = 200401 - - -# Deprecated since v1.1.0. Use DetectionFinding instead. -class SecurityFinding(FindingABC): - analytic: Analytic - attacks: typing.List[AttackInfo] - class_name: str = "Security Finding" - class_uid: int = 2001 - finding: Finding - state_id: int = 1 - type_uid: int = 200101 diff --git a/integrations/amazon-security-lake/src/models/wazuh.py b/integrations/amazon-security-lake/src/models/wazuh.py deleted file mode 100644 index f73ed832b9165..0000000000000 --- a/integrations/amazon-security-lake/src/models/wazuh.py +++ /dev/null @@ -1,50 +0,0 @@ -import pydantic -import typing - -# =========== Wazuh event models =========== # -# These are only the fields required for the integration. - - -class Mitre(pydantic.BaseModel): - technique: typing.List[str] = ["N/A"] - id: typing.List[str] = ["N/A"] - tactic: typing.List[str] = ["N/A"] - - -class Rule(pydantic.BaseModel): - firedtimes: int = 0 - description: str = "N/A" - groups: typing.List[str] = [] - id: str = "N/A" - mitre: Mitre = Mitre() - level: int = 0 - nist_800_53: typing.List[str] = [] - - -class Decoder(pydantic.BaseModel): - name: str = "N/A" - - -class Input(pydantic.BaseModel): - type: str = "N/A" - - -class Agent(pydantic.BaseModel): - name: str - id: str - - -class Manager(pydantic.BaseModel): - name: str - - -class Event(pydantic.BaseModel): - rule: Rule = Rule() - decoder: Decoder = Decoder() - input: Input = Input() - id: str = "" - full_log: str = "" - agent: Agent = {} - timestamp: str = "" - location: str = "" - manager: Manager = {} diff --git a/integrations/amazon-security-lake/src/wazuh_ocsf_converter.py b/integrations/amazon-security-lake/src/wazuh_ocsf_converter.py deleted file mode 100644 index 494a3c62a7fa6..0000000000000 --- a/integrations/amazon-security-lake/src/wazuh_ocsf_converter.py +++ /dev/null @@ -1,185 +0,0 @@ -import pydantic -import models -import logging -from datetime import datetime - - -timestamp_pattern = "%Y-%m-%dT%H:%M:%S.%f%z" - - -def normalize(level: int) -> int: - """ - Normalizes rule level into the 0-6 range, required by OCSF. - """ - if level >= 15: # (5) Critical - severity = 5 - elif level >= 11: # (4) High - severity = 4 - elif level >= 8: # (3) Medium - severity = 3 - elif level >= 4: # (2) Low - severity = 2 - elif level >= 0: # (1) Informational - severity = 1 - else: - severity = 0 # (0) Unknown - - return severity - - -def join(iterable, separator=","): - return (separator.join(iterable)) - - -def to_detection_finding(event: models.wazuh.Event) -> models.ocsf.DetectionFinding: - """ - Convert Wazuh security event to OCSF detection finding. - """ - try: - - finding_info = models.ocsf.FindingInfo( - analytic=models.ocsf.AnalyticInfo( - category=", ".join(event.rule.groups), - name=event.decoder.name, - uid=event.rule.id - ), - attacks=[ - models.ocsf.AttackInfo( - tactic=models.ocsf.TechniqueInfo( - name=", ".join(event.rule.mitre.tactic), - uid=", ".join(event.rule.mitre.id) - ), - technique=models.ocsf.TechniqueInfo( - name=", ".join(event.rule.mitre.technique), - uid=", ".join(event.rule.mitre.id) - ) - ) - ], - title=event.rule.description, - types=[event.input.type], - uid=event.id - ) - - resources = [models.ocsf.Resource( - name=event.agent.name, uid=event.agent.id)] - - severity_id = normalize(event.rule.level) - - unmapped = { - "data_sources": [ - event.location, - event.manager.name - ], - "nist": event.rule.nist_800_53 # Array - } - - return models.ocsf.DetectionFinding( - count=event.rule.firedtimes, - message=event.rule.description, - finding_info=finding_info, - raw_data=event.full_log, - resources=resources, - risk_score=event.rule.level, - severity_id=severity_id, - time=to_epoch(event.timestamp), - unmapped=unmapped - ) - except AttributeError as e: - logging.error(f"Error transforming event: {e}") - return {} - - -def to_security_finding(event: models.wazuh.Event) -> models.ocsf.SecurityFinding: - """ - Convert Wazuh security event to OCSF's Security Finding class. - """ - try: - - analytic = models.ocsf.Analytic( - category=", ".join(event.rule.groups), - name=event.decoder.name, - uid=event.rule.id - ) - - attacks = [ - models.ocsf.AttackInfo( - tactic=models.ocsf.TechniqueInfo( - name=", ".join(event.rule.mitre.tactic), - uid=", ".join(event.rule.mitre.id) - ), - technique=models.ocsf.TechniqueInfo( - name=", ".join(event.rule.mitre.technique), - uid=", ".join(event.rule.mitre.id) - ) - ) - ] - - finding = models.ocsf.Finding( - title=event.rule.description, - types=[event.input.type], - uid=event.id - ) - - resources = [models.ocsf.Resource( - name=event.agent.name, uid=event.agent.id)] - - severity_id = normalize(event.rule.level) - - unmapped = { - "data_sources": [ - event.location, - event.manager.name - ], - "nist": event.rule.nist_800_53 # Array - } - - return models.ocsf.SecurityFinding( - analytic=analytic, - attacks=attacks, - count=event.rule.firedtimes, - message=event.rule.description, - finding=finding, - raw_data=event.full_log, - resources=resources, - risk_score=event.rule.level, - severity_id=severity_id, - time=to_epoch(event.timestamp), - unmapped=unmapped - ) - except AttributeError as e: - logging.error(f"Error transforming event: {e}") - return {} - - -def to_epoch(timestamp: str) -> int: - return int(datetime.strptime(timestamp, timestamp_pattern).timestamp()) - - -def from_json(json_line: str) -> models.wazuh.Event: - """ - Parse the JSON string representation of a Wazuh security event into a dictionary (model). - """ - # Needs to a string, bytes or bytearray - try: - return models.wazuh.Event.model_validate_json(json_line) - except pydantic.ValidationError as e: - print(e) - - -def transform_events(events: list, ocsf_class: str) -> list: - """ - Transform a list of Wazuh security events (json string) to OCSF format. - """ - logging.info("Transforming Wazuh security events to OCSF.") - ocsf_events = [] - for event in events: - try: - wazuh_event = from_json(event) - if ocsf_class == 'DETECTION_FINDING': - ocsf_event = to_detection_finding(wazuh_event).model_dump() - else: - ocsf_event = to_security_finding(wazuh_event).model_dump() - ocsf_events.append(ocsf_event) - except Exception as e: - logging.error(f"Error transforming line to OCSF: {e}") - return ocsf_events diff --git a/integrations/docker/.env b/integrations/docker/.env deleted file mode 100644 index 0e43e74546626..0000000000000 --- a/integrations/docker/.env +++ /dev/null @@ -1,44 +0,0 @@ -# Password for the 'elastic' user (at least 6 characters) -ELASTIC_PASSWORD=elastic - -# Password for the 'kibana_system' user (at least 6 characters) -KIBANA_PASSWORD=elastic - -# Set the cluster name -CLUSTER_NAME=elastic - -# Set to 'basic' or 'trial' to automatically start the 30-day trial -LICENSE=basic - -# Port to expose Elasticsearch HTTP API to the host -ES_PORT=9201 - -# Port to expose Kibana to the host -KIBANA_PORT=5602 - -# Increase or decrease based on the available host memory (in bytes) -MEM_LIMIT=1073741824 - -# Wazuh version -WAZUH_VERSION=4.10.1 - -# Wazuh Indexer version (Provisionally using OpenSearch) -WAZUH_INDEXER_VERSION=2.18.0 - -# Wazuh Dashboard version (Provisionally using OpenSearch Dashboards) -WAZUH_DASHBOARD_VERSION=2.18.0 - -# Wazuh certs generator version -WAZUH_CERTS_GENERATOR_VERSION=0.0.1 - -# OpenSearch destination cluster version -OS_VERSION=2.18.0 - -# Logstash version: -LOGSTASH_OSS_VERSION=8.9.0 - -# Splunk version: -SPLUNK_VERSION=9.4.0 - -# Version of Elastic products -STACK_VERSION=8.17.1 diff --git a/integrations/docker/compose.amazon-security-lake.yml b/integrations/docker/compose.amazon-security-lake.yml deleted file mode 100644 index 8c9b610b97c6f..0000000000000 --- a/integrations/docker/compose.amazon-security-lake.yml +++ /dev/null @@ -1,175 +0,0 @@ -name: "amazon-security-lake" - -services: - events-generator: - image: wazuh/indexer-events-generator - build: - context: ../tools/events-generator - container_name: events-generator - depends_on: - wazuh.indexer: - condition: service_healthy - command: bash -c "python run.py -a wazuh.indexer" - - wazuh.indexer: - image: opensearchproject/opensearch:${WAZUH_INDEXER_VERSION} - container_name: wazuh.indexer - depends_on: - wazuh-certs-generator: - condition: service_completed_successfully - hostname: wazuh.indexer - ports: - - 9200:9200 - environment: - - WAZUH_INDEXER_VERSION=${WAZUH_INDEXER_VERSION} - # - cluster.name=opensearch-cluster - - node.name=wazuh.indexer - - discovery.type=single-node - # - cluster.initial_cluster_manager_nodes=opensearch-node - - bootstrap.memory_lock=true - - "DISABLE_INSTALL_DEMO_CONFIG=true" - - plugins.security.ssl.http.enabled=true - - plugins.security.allow_default_init_securityindex=true - - plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem - - plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem - - plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem - - plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem - - plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem - - plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem - - plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US" - - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" - ulimits: - memlock: - soft: -1 - hard: -1 - nofile: - soft: 65536 - hard: 65536 - healthcheck: - test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster - start_period: 10s - start_interval: 3s - volumes: - - data:/usr/share/opensearch/data - - ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem - - ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem - - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem - - wazuh.dashboard: - image: opensearchproject/opensearch-dashboards:${WAZUH_DASHBOARD_VERSION} - container_name: wazuh.dashboard - depends_on: - - wazuh.indexer - hostname: wazuh.dashboard - ports: - - 5601:5601 # Map host port 5601 to container port 5601 - expose: - - "5601" # Expose port 5601 for web access to OpenSearch Dashboards - volumes: - - ./certs/:/usr/share/opensearch-dashboards/config/certs/ - - ./certs/wazuh.dashboard-key.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.key - - ./certs/wazuh.dashboard.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.pem - - ./certs/root-ca.pem:/usr/share/opensearch-dashboards/config/certs/root-ca.pem - environment: - WAZUH_DASHBOARD_VERSION: ${WAZUH_DASHBOARD_VERSION} - OPENSEARCH_HOSTS: '["https://wazuh.indexer:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query - SERVER_SSL_ENABLED: "true" - SERVER_SSL_KEY: "/usr/share/opensearch-dashboards/config/certs/opensearch.key" - SERVER_SSL_CERTIFICATE: "/usr/share/opensearch-dashboards/config/certs/opensearch.pem" - OPENSEARCH_SSL_CERTIFICATEAUTHORITIES: "/usr/share/opensearch-dashboards/config/certs/root-ca.pem" - - logstash: - depends_on: - - wazuh.indexer - # image: wazuh/indexer-security-lake-integration - image: logstash-oss:${LOGSTASH_OSS_VERSION} - build: - context: ../logstash - args: - - LOGSTASH_OSS_VERSION=${LOGSTASH_OSS_VERSION} - # container_name: wazuh.integration.security.lake - # hostname: wazuh.integration.security.lake - environment: - LOG_LEVEL: trace - LOGSTASH_KEYSTORE_PASS: "SecretPassword" - MONITORING_ENABLED: false - AWS_ACCESS_KEY_ID: "AKIAIOSFODNN7EXAMPLE" - AWS_SECRET_ACCESS_KEY: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" - AWS_REGION: "us-east-1" - S3_BUCKET_RAW: "wazuh-aws-security-lake-raw" - AWS_ENDPOINT: "http://s3.ninja:9000" - ports: - - "5000:5000/tcp" - - "5000:5000/udp" - - "5044:5044" - - "9600:9600" - volumes: - - ../amazon-security-lake/logstash/pipeline:/usr/share/logstash/pipeline - - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem - - s3.ninja: - image: scireum/s3-ninja:latest - container_name: s3.ninja - hostname: s3.ninja - ports: - - "9444:9000" - volumes: - - s3-data:/home/sirius/data - - aws.lambda: - image: wazuh/indexer-security-lake-integration:lambda - build: - context: ../amazon-security-lake - environment: - AWS_ACCESS_KEY_ID: "AKIAIOSFODNN7EXAMPLE" - AWS_SECRET_ACCESS_KEY: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" - REGION: "us-east-1" - AWS_BUCKET: "wazuh-aws-security-lake-parquet" - S3_BUCKET_OCSF: "wazuh-aws-security-lake-ocsf" - AWS_ENDPOINT: "http://s3.ninja:9000" - SOURCE_LOCATION: "wazuh" - ACCOUNT_ID: "111111111111" - IS_DEV: true - OCSF_CLASS: SECURITY_FINDING - volumes: - - ../amazon-security-lake/src:/var/task - ports: - - "9000:8080" - - generate-certs-config: - image: alpine:latest - volumes: - - ./config:/config - command: | - sh -c " - echo ' - nodes: - indexer: - - name: wazuh.indexer - ip: \"wazuh.indexer\" - server: - - name: wazuh.manager - ip: \"wazuh.manager\" - dashboard: - - name: wazuh.dashboard - ip: \"wazuh.dashboard\" - ' > /config/certs.yml - " - - wazuh-certs-generator: - image: wazuh/wazuh-certs-generator:${WAZUH_CERTS_GENERATOR_VERSION} - hostname: wazuh-certs-generator - depends_on: - generate-certs-config: - condition: service_completed_successfully - container_name: wazuh-certs-generator - environment: - - WAZUH_CERTS_GENERATOR_VERSION=${WAZUH_CERTS_GENERATOR_VERSION} - entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*" - volumes: - - ./certs/:/certificates/ - - ./config/certs.yml:/config/certs.yml - -volumes: - data: - s3-data: diff --git a/integrations/docker/compose.indexer-elastic.yml b/integrations/docker/compose.indexer-elastic.yml deleted file mode 100644 index fa4f20b8165b3..0000000000000 --- a/integrations/docker/compose.indexer-elastic.yml +++ /dev/null @@ -1,259 +0,0 @@ -name: "elastic-integration" - -services: - events-generator: - image: wazuh/indexer-events-generator - build: - context: ../tools/events-generator - depends_on: - wazuh.indexer: - condition: service_healthy - command: bash -c "python run.py -a wazuh.indexer" - - wazuh.indexer: - image: opensearchproject/opensearch:${WAZUH_INDEXER_VERSION} - depends_on: - wazuh-certs-generator: - condition: service_completed_successfully - hostname: wazuh.indexer - ports: - - 9200:9200 - environment: - - WAZUH_INDEXER_VERSION=${WAZUH_INDEXER_VERSION} - - node.name=wazuh.indexer - - discovery.type=single-node - - bootstrap.memory_lock=true - - "DISABLE_INSTALL_DEMO_CONFIG=true" - - plugins.security.ssl.http.enabled=true - - plugins.security.allow_default_init_securityindex=true - - plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem - - plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem - - plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem - - plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem - - plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem - - plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem - - plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US" - - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" - ulimits: - memlock: - soft: -1 - hard: -1 - nofile: - soft: 65536 - hard: 65536 - healthcheck: - test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster - start_period: 10s - start_interval: 3s - volumes: - - data:/usr/share/opensearch/data - - ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem - - ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem - - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem - - wazuh.dashboard: - image: opensearchproject/opensearch-dashboards:${WAZUH_DASHBOARD_VERSION} - depends_on: - - wazuh.indexer - hostname: wazuh.dashboard - ports: - - 5601:5601 # Map host port 5601 to container port 5601 - expose: - - "5601" # Expose port 5601 for web access to OpenSearch Dashboards - volumes: - - ./certs/:/usr/share/opensearch-dashboards/config/certs/ - - ./certs/wazuh.dashboard-key.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.key - - ./certs/wazuh.dashboard.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.pem - - ./certs/root-ca.pem:/usr/share/opensearch-dashboards/config/certs/root-ca.pem - environment: - WAZUH_DASHBOARD_VERSION: ${WAZUH_DASHBOARD_VERSION} - OPENSEARCH_HOSTS: '["https://wazuh.indexer:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query - SERVER_SSL_ENABLED: "true" - SERVER_SSL_KEY: "/usr/share/opensearch-dashboards/config/certs/opensearch.key" - SERVER_SSL_CERTIFICATE: "/usr/share/opensearch-dashboards/config/certs/opensearch.pem" - OPENSEARCH_SSL_CERTIFICATEAUTHORITIES: "/usr/share/opensearch-dashboards/config/certs/root-ca.pem" - - generate-certs-config: - image: alpine:latest - volumes: - - ./config:/config - command: | - sh -c " - echo ' - nodes: - indexer: - - name: wazuh.indexer - ip: \"wazuh.indexer\" - server: - - name: wazuh.manager - ip: \"wazuh.manager\" - dashboard: - - name: wazuh.dashboard - ip: \"wazuh.dashboard\" - ' > /config/certs.yml - " - - wazuh-certs-generator: - image: wazuh/wazuh-certs-generator:${WAZUH_CERTS_GENERATOR_VERSION} - hostname: wazuh-certs-generator - environment: - - WAZUH_CERTS_GENERATOR_VERSION=${WAZUH_CERTS_GENERATOR_VERSION} - depends_on: - generate-certs-config: - condition: service_completed_successfully - entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*" - volumes: - - ./certs/:/certificates/ - - ./config/certs.yml:/config/certs.yml - - # ================================= - # Elasticsearch, Kibana and Logstash - # ================================= - # https://www.elastic.co/guide/en/elastic-stack-get-started/current/get-started-docker.html - - setup: - image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION} - volumes: - - es_certs:/usr/share/elasticsearch/config/certs - user: "0" - command: > - bash -c ' - if [ x${ELASTIC_PASSWORD} == x ]; then - echo "Set the ELASTIC_PASSWORD environment variable in the .env file"; - exit 1; - elif [ x${KIBANA_PASSWORD} == x ]; then - echo "Set the KIBANA_PASSWORD environment variable in the .env file"; - exit 1; - fi; - if [ ! -f config/certs/ca.zip ]; then - echo "Creating CA"; - bin/elasticsearch-certutil ca --silent --pem -out config/certs/ca.zip; - unzip config/certs/ca.zip -d config/certs; - fi; - if [ ! -f config/certs/certs.zip ]; then - echo "Creating certs"; - echo -ne \ - "instances:\n"\ - " - name: es01\n"\ - " dns:\n"\ - " - es01\n"\ - " - localhost\n"\ - " ip:\n"\ - " - 127.0.0.1\n"\ - " - name: kibana\n"\ - " dns:\n"\ - " - kibana\n"\ - " - localhost\n"\ - " ip:\n"\ - " - 127.0.0.1\n"\ - > config/certs/instances.yml; - bin/elasticsearch-certutil cert --silent --pem -out config/certs/certs.zip --in config/certs/instances.yml --ca-cert config/certs/ca/ca.crt --ca-key config/certs/ca/ca.key; - unzip config/certs/certs.zip -d config/certs; - fi; - echo "Setting file permissions" - chown -R 1000:1000 config/certs; - find . -type d -exec chmod 750 \{\} \;; - find . -type f -exec chmod 640 \{\} \;; - echo "Waiting for Elasticsearch availability"; - until curl -s --cacert config/certs/ca/ca.crt https://es01:9200 | grep -q "missing authentication credentials"; do sleep 30; done; - echo "Setting kibana_system password"; - until curl -s -X POST --cacert config/certs/ca/ca.crt -u "elastic:${ELASTIC_PASSWORD}" -H "Content-Type: application/json" https://es01:9200/_security/user/kibana_system/_password -d "{\"password\":\"${KIBANA_PASSWORD}\"}" | grep -q "^{}"; do sleep 10; done; - echo "All done!"; - ' - healthcheck: - test: ["CMD-SHELL", "[ -f config/certs/es01/es01.crt ]"] - interval: 1s - timeout: 5s - retries: 120 - - es01: - depends_on: - setup: - condition: service_healthy - image: docker.elastic.co/elasticsearch/elasticsearch:${STACK_VERSION} - volumes: - - es_certs:/usr/share/elasticsearch/config/certs - ports: - - ${ES_PORT}:9200 - environment: - - node.name=es01 - - cluster.name=${CLUSTER_NAME} - - cluster.initial_master_nodes=es01 - - ELASTIC_PASSWORD=${ELASTIC_PASSWORD} - - bootstrap.memory_lock=true - - xpack.security.enabled=true - - xpack.security.http.ssl.enabled=true - - xpack.security.http.ssl.key=certs/es01/es01.key - - xpack.security.http.ssl.certificate=certs/es01/es01.crt - - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt - - xpack.security.transport.ssl.enabled=true - - xpack.security.transport.ssl.key=certs/es01/es01.key - - xpack.security.transport.ssl.certificate=certs/es01/es01.crt - - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt - - xpack.security.transport.ssl.verification_mode=certificate - - xpack.license.self_generated.type=${LICENSE} - mem_limit: ${MEM_LIMIT} - ulimits: - memlock: - soft: -1 - hard: -1 - healthcheck: - test: - [ - "CMD-SHELL", - "curl -s --cacert config/certs/ca/ca.crt https://localhost:9200 | grep -q 'missing authentication credentials'", - ] - interval: 10s - timeout: 10s - retries: 120 - - kibana: - depends_on: - es01: - condition: service_healthy - image: docker.elastic.co/kibana/kibana:${STACK_VERSION} - volumes: - - es_certs:/usr/share/kibana/config/certs - ports: - - ${KIBANA_PORT}:5601 - environment: - - SERVERNAME=kibana - - ELASTICSEARCH_HOSTS=https://es01:9200 - - ELASTICSEARCH_USERNAME=kibana_system - - ELASTICSEARCH_PASSWORD=${KIBANA_PASSWORD} - - ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES=config/certs/ca/ca.crt - - SERVER_SSL_ENABLED=true - - SERVER_SSL_KEY=/usr/share/kibana/config/certs/kibana/kibana.key - - SERVER_SSL_CERTIFICATE=/usr/share/kibana/config/certs/kibana/kibana.crt - mem_limit: ${MEM_LIMIT} - healthcheck: - test: - [ - "CMD-SHELL", - "curl -s -I https://localhost:5601 | grep -q 'HTTP/1.1 302 Found'", - ] - interval: 10s - timeout: 10s - retries: 120 - - logstash: - depends_on: - es01: - condition: service_healthy - image: logstash-oss:${LOGSTASH_OSS_VERSION} - build: - context: ../logstash - args: - - LOGSTASH_OSS_VERSION=${LOGSTASH_OSS_VERSION} - environment: - LOG_LEVEL: info - MONITORING_ENABLED: false - volumes: - - ../elastic/logstash/pipeline:/usr/share/logstash/pipeline - - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem - - es_certs:/etc/certs/elastic - command: logstash -f /usr/share/logstash/pipeline/indexer-to-elastic.conf - -volumes: - data: - es_certs: diff --git a/integrations/docker/compose.indexer-opensearch.yml b/integrations/docker/compose.indexer-opensearch.yml deleted file mode 100644 index 8fc2c4364117c..0000000000000 --- a/integrations/docker/compose.indexer-opensearch.yml +++ /dev/null @@ -1,194 +0,0 @@ -name: "opensearch-integration" - -services: - events-generator: - image: wazuh/indexer-events-generator - build: - context: ../tools/events-generator - depends_on: - wazuh.indexer: - condition: service_healthy - command: bash -c "python run.py -a wazuh.indexer" - - wazuh.indexer: - image: opensearchproject/opensearch:${WAZUH_INDEXER_VERSION} - depends_on: - wazuh-certs-generator: - condition: service_completed_successfully - hostname: wazuh.indexer - ports: - - 9200:9200 - environment: - - WAZUH_INDEXER_VERSION=${WAZUH_INDEXER_VERSION} - - node.name=wazuh.indexer - - discovery.type=single-node - - bootstrap.memory_lock=true - - "DISABLE_INSTALL_DEMO_CONFIG=true" - - plugins.security.ssl.http.enabled=true - - plugins.security.allow_default_init_securityindex=true - - plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem - - plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem - - plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem - - plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem - - plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem - - plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem - - plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US" - - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" - ulimits: - memlock: - soft: -1 - hard: -1 - nofile: - soft: 65536 - hard: 65536 - healthcheck: - test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster - start_period: 10s - start_interval: 3s - volumes: - - data:/usr/share/opensearch/data - - ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem - - ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem - - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem - - wazuh.dashboard: - image: opensearchproject/opensearch-dashboards:${WAZUH_DASHBOARD_VERSION} - depends_on: - - wazuh.indexer - hostname: wazuh.dashboard - ports: - - 5601:5601 - expose: - - "5601" - volumes: - - ../opensearch/opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml - - ./certs/:/usr/share/opensearch-dashboards/config/certs/ - - ./certs/opensearch.dashboards-key.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.key - - ./certs/opensearch.dashboards.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.pem - - ./certs/root-ca.pem:/usr/share/opensearch-dashboards/config/certs/root-ca.pem - environment: - WAZUH_DASHBOARD_VERSION: ${WAZUH_DASHBOARD_VERSION} - OPENSEARCH_HOSTS: '["https://wazuh.indexer:9200"]' - SERVER_SSL_ENABLED: "true" - SERVER_SSL_KEY: "/usr/share/opensearch-dashboards/config/certs/opensearch.key" - SERVER.SSL_CERTIFICATE: "/usr/share/opensearch-dashboards/config/certs/opensearch.pem" - OPENSEARCH_SSL_CERTIFICATEAUTHORITIES: "/usr/share/opensearch-dashboards/config/certs/root-ca.pem" - - generate-certs-config: - image: alpine:latest - volumes: - - ./config:/config - command: | - sh -c " - echo ' - nodes: - indexer: - - name: wazuh.indexer - ip: \"wazuh.indexer\" - - name: opensearch.node - ip: \"opensearch.node\" - server: - - name: wazuh.manager - ip: \"wazuh.manager\" - dashboard: - - name: wazuh.dashboard - ip: \"wazuh.dashboard\" - - name: opensearch.dashboards - ip: \"opensearch.dashboards\" - ' > /config/certs.yml - " - - wazuh-certs-generator: - image: wazuh/wazuh-certs-generator:${WAZUH_CERTS_GENERATOR_VERSION} - hostname: wazuh-certs-generator - environment: - - WAZUH_CERTS_GENERATOR_VERSION=${WAZUH_CERTS_GENERATOR_VERSION} - depends_on: - generate-certs-config: - condition: service_completed_successfully - entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*" - volumes: - - ./certs/:/certificates/ - - ./config/certs.yml:/config/certs.yml - - # ================================================ - # OpenSearch, OpenSearch Dashboards and Logstash - # ================================================ - - opensearch.node: - image: opensearchproject/opensearch:${OS_VERSION} - depends_on: - wazuh-certs-generator: - condition: service_completed_successfully - environment: - - cluster.name=opensearch-cluster - - node.name=opensearch.node - - discovery.type=single-node - - bootstrap.memory_lock=true - - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" - - "DISABLE_INSTALL_DEMO_CONFIG=true" - volumes: - - ../opensearch/opensearch.yml:/usr/share/opensearch/config/opensearch.yml - - ./certs/opensearch.node-key.pem:/usr/share/opensearch/config/certs/opensearch.key - - ./certs/opensearch.node.pem:/usr/share/opensearch/config/certs/opensearch.pem - - ./certs/root-ca.pem:/usr/share/opensearch/config/certs/root-ca.pem - ulimits: - memlock: - soft: -1 - hard: -1 - nofile: - soft: 65536 - hard: 65536 - ports: - - 9201:9200 - - 9600:9600 - healthcheck: - test: - [ - "CMD-SHELL", - "curl -sku admin:admin https://opensearch.node:9200 2>&1 | grep -q 'The OpenSearch Project: https://opensearch.org/'", - ] - interval: 1s - timeout: 5s - retries: 120 - - opensearch-dashboards: - image: opensearchproject/opensearch-dashboards:${OS_VERSION} - depends_on: - opensearch.node: - condition: service_healthy - ports: - - 5602:5601 - expose: - - "5602" - volumes: - - ../opensearch/opensearch_dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml - - ./certs/:/usr/share/opensearch-dashboards/config/certs/ - - ./certs/opensearch.dashboards-key.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.key - - ./certs/opensearch.dashboards.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.pem - - ./certs/root-ca.pem:/usr/share/opensearch-dashboards/config/certs/root-ca.pem - - environment: - - 'OPENSEARCH_HOSTS="https://opensearch.node:9200"' - - logstash: - image: logstash-oss:${LOGSTASH_OSS_VERSION} - depends_on: - opensearch.node: - condition: service_healthy - build: - context: ../logstash - args: - - LOGSTASH_OSS_VERSION=${LOGSTASH_OSS_VERSION} - environment: - LOGSTASH_OSS_VERSION: ${LOGSTASH_OSS_VERSION} - LOG_LEVEL: info - MONITORING_ENABLED: false - volumes: - - ../opensearch/logstash/pipeline:/usr/share/logstash/pipeline - - ./certs/root-ca.pem:/etc/ssl/root-ca.pem - command: logstash -f /usr/share/logstash/pipeline/indexer-to-opensearch.conf - -volumes: - data: - os_config: diff --git a/integrations/docker/compose.indexer-splunk.yml b/integrations/docker/compose.indexer-splunk.yml deleted file mode 100644 index 9f9681f8cb965..0000000000000 --- a/integrations/docker/compose.indexer-splunk.yml +++ /dev/null @@ -1,182 +0,0 @@ -name: "splunk-integration" - -services: - events-generator: - image: wazuh/indexer-events-generator - build: - context: ../tools/events-generator - depends_on: - wazuh.indexer: - condition: service_healthy - command: bash -c "python run.py -a wazuh.indexer" - - wazuh.indexer: - image: opensearchproject/opensearch:${WAZUH_INDEXER_VERSION} - depends_on: - wazuh-certs-generator: - condition: service_completed_successfully - hostname: wazuh.indexer - ports: - - 9200:9200 - environment: - - WAZUH_INDEXER_VERSION=${WAZUH_INDEXER_VERSION} - - node.name=wazuh.indexer - - discovery.type=single-node - - bootstrap.memory_lock=true - - "DISABLE_INSTALL_DEMO_CONFIG=true" - - plugins.security.ssl.http.enabled=true - - plugins.security.allow_default_init_securityindex=true - - plugins.security.ssl.http.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem - - plugins.security.ssl.transport.pemcert_filepath=/usr/share/opensearch/config/wazuh.indexer.pem - - plugins.security.ssl.http.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem - - plugins.security.ssl.transport.pemkey_filepath=/usr/share/opensearch/config/wazuh.indexer-key.pem - - plugins.security.ssl.http.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem - - plugins.security.ssl.transport.pemtrustedcas_filepath=/usr/share/opensearch/config/root-ca.pem - - plugins.security.authcz.admin_dn="CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California, C=US" - - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m" - ulimits: - memlock: - soft: -1 - hard: -1 - nofile: - soft: 65536 - hard: 65536 - healthcheck: - test: curl -sku admin:admin https://localhost:9200/_cat/health | grep -q docker-cluster - start_period: 10s - start_interval: 3s - volumes: - - data:/usr/share/opensearch/data - - ./certs/wazuh.indexer.pem:/usr/share/opensearch/config/wazuh.indexer.pem - - ./certs/wazuh.indexer-key.pem:/usr/share/opensearch/config/wazuh.indexer-key.pem - - ./certs/root-ca.pem:/usr/share/opensearch/config/root-ca.pem - - wazuh.dashboard: - image: opensearchproject/opensearch-dashboards:${WAZUH_DASHBOARD_VERSION} - depends_on: - - wazuh.indexer - hostname: wazuh.dashboard - ports: - - 5601:5601 # Map host port 5601 to container port 5601 - expose: - - "5601" # Expose port 5601 for web access to OpenSearch Dashboards - volumes: - - ./certs/:/usr/share/opensearch-dashboards/config/certs/ - - ./certs/wazuh.dashboard-key.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.key - - ./certs/wazuh.dashboard.pem:/usr/share/opensearch-dashboards/config/certs/opensearch.pem - - ./certs/root-ca.pem:/usr/share/opensearch-dashboards/config/certs/root-ca.pem - environment: - WAZUH_DASHBOARD_VERSION: ${WAZUH_DASHBOARD_VERSION} - OPENSEARCH_HOSTS: '["https://wazuh.indexer:9200"]' # Define the OpenSearch nodes that OpenSearch Dashboards will query - SERVER_SSL_ENABLED: "true" - SERVER_SSL_KEY: "/usr/share/opensearch-dashboards/config/certs/opensearch.key" - SERVER_SSL_CERTIFICATE: "/usr/share/opensearch-dashboards/config/certs/opensearch.pem" - OPENSEARCH_SSL_CERTIFICATEAUTHORITIES: "/usr/share/opensearch-dashboards/config/certs/root-ca.pem" - - generate-certs-config: - image: alpine:latest - volumes: - - ./config:/config - command: | - sh -c " - echo ' - nodes: - indexer: - - name: wazuh.indexer - ip: \"wazuh.indexer\" - server: - - name: wazuh.manager - ip: \"wazuh.manager\" - dashboard: - - name: wazuh.dashboard - ip: \"wazuh.dashboard\" - ' > /config/certs.yml - " - - wazuh-certs-generator: - image: wazuh/wazuh-certs-generator:${WAZUH_CERTS_GENERATOR_VERSION} - hostname: wazuh-certs-generator - environment: - - WAZUH_CERTS_GENERATOR_VERSION=${WAZUH_CERTS_GENERATOR_VERSION} - depends_on: - generate-certs-config: - condition: service_completed_successfully - entrypoint: sh -c "/entrypoint.sh; chown -R 1000:999 /certificates; chmod 740 /certificates; chmod 440 /certificates/*" - volumes: - - ./certs/:/certificates/ - - ./config/certs.yml:/config/certs.yml - - # ================================= - # Splunk and Logstash - # ================================= - - generator: - image: cfssl/cfssl - depends_on: - wazuh-certs-generator: - condition: service_completed_successfully - volumes: - - ./certs/:/certs/ - - ../splunk/cfssl/:/conf/ - entrypoint: /bin/bash - command: > - -c ' - cd /certs - cat /conf/host.json | \ - cfssl gencert \ - -ca root-ca.pem \ - -ca-key root-ca.key \ - -config /conf/cfssl.json \ - -profile=server - | \ - cfssljson -bare splunk - openssl pkcs8 -topk8 -inform pem -in splunk-key.pem -outform pem -nocrypt -out splunk.key - rm splunk.csr - cat splunk.pem splunk-key.pem root-ca.pem > splunkhec.pem - chown -R 1000:1000 /certs/splunk* - ' - - splunk: - image: splunk/splunk:${SPLUNK_VERSION} - volumes: - - ./certs/splunk.key:/opt/splunk/etc/auth/custom/splunk.key - - ./certs/splunk.pem:/opt/splunk/etc/auth/custom/splunk.pem - - ./certs/splunkhec.pem:/opt/splunk/etc/auth/custom/splunkhec.pem - - ../splunk/config/indexes.conf:/opt/splunk/etc/system/local/indexes.conf - - ../splunk/config/default.yml:/tmp/defaults/default.yml - depends_on: - wazuh-certs-generator: - condition: service_completed_successfully - generator: - condition: service_completed_successfully - ports: - - "8000:8000" - - "8088:8088" - environment: - SPLUNK_VERSION: ${SPLUNK_VERSION} - SPLUNK_HEC_TOKEN: "abcd1234" - SPLUNK_HOSTNAME: splunk - SPLUNK_HTTP_ENABLESSL: "true" - SPLUNK_PASSWORD: Password.1234 - SPLUNK_STANDALONE_URL: https://splunk:8080 - SPLUNK_START_ARGS: --accept-license - - logstash: - image: logstash-oss:${LOGSTASH_OSS_VERSION} - depends_on: - splunk: - condition: service_healthy - build: - context: ../logstash - args: - - LOGSTASH_OSS_VERSION=${LOGSTASH_OSS_VERSION} - environment: - LOGSTASH_OSS_VERSION: ${LOGSTASH_OSS_VERSION} - LOG_LEVEL: info - MONITORING_ENABLED: false - volumes: - - ../splunk/logstash/pipeline:/usr/share/logstash/pipeline - - ./certs/root-ca.pem:/usr/share/logstash/root-ca.pem - command: logstash -f /usr/share/logstash/pipeline/indexer-to-splunk.conf - -volumes: - data: diff --git a/integrations/docker/config/certs.yml b/integrations/docker/config/certs.yml deleted file mode 100644 index 7a4ef691e5e10..0000000000000 --- a/integrations/docker/config/certs.yml +++ /dev/null @@ -1,20 +0,0 @@ -nodes: - # Wazuh indexer and OpenSearch server nodes - indexer: - - name: wazuh.indexer - ip: wazuh.indexer - - name: opensearch.node - ip: opensearch.node - - # Wazuh server nodes - # Use node_type only with more than one Wazuh manager - server: - - name: wazuh.manager - ip: wazuh.manager - - # Wazuh dashboard and OpenSearch Dashboards nodes - dashboard: - - name: wazuh.dashboard - ip: wazuh.dashboard - - name: opensearch.dashboards - ip: opensearch.dashboards diff --git a/integrations/elastic/Dockerfile b/integrations/elastic/Dockerfile deleted file mode 100644 index 82314abd3c3bd..0000000000000 --- a/integrations/elastic/Dockerfile +++ /dev/null @@ -1,19 +0,0 @@ -FROM opensearchproject/logstash-oss-with-opensearch-output-plugin:latest - -ENV LOGSTASH_KEYSTORE_PASS "SecretPassword" -ENV LS_PATH "/usr/share/logstash" -USER logstash - -# https://github.com/elastic/logstash/issues/6600 -# Install plugin -RUN LS_JAVA_OPTS="-Xms1024m -Xmx1024m" logstash-plugin install logstash-input-opensearch - -COPY --chown=logstash:logstash logstash/pipeline /usr/share/logstash/pipeline -# Copy and run the setup.sh script to create and configure a keystore for Logstash. -COPY --chown=logstash:logstash logstash/setup.sh /usr/share/logstash/bin/setup.sh -RUN bash /usr/share/logstash/bin/setup.sh - -# Disable ECS compatibility -RUN `echo "pipeline.ecs_compatibility: disabled" >> /usr/share/logstash/config/logstash.yml` - -WORKDIR /usr/share/logstash \ No newline at end of file diff --git a/integrations/elastic/README.md b/integrations/elastic/README.md deleted file mode 100644 index 3092a7d85eccd..0000000000000 --- a/integrations/elastic/README.md +++ /dev/null @@ -1,47 +0,0 @@ -# Wazuh to Elastic Integration Developer Guide - -This document describes how to prepare a Docker Compose environment to test the integration between Wazuh and the Elastic Stack. For a detailed guide on how to integrate Wazuh with Elastic Stack, please refer to the [Wazuh documentation](https://documentation.wazuh.com/current/integrations-guide/elastic-stack/index.html). - -## Requirements - -- Docker and Docker Compose installed. - -## Usage - -1. Clone the Wazuh repository and navigate to the `integrations/` folder. -2. Run the following command to start the environment: - ```bash - docker compose -f ./docker/compose.indexer-elastic.yml up -d - ``` - -The Docker Compose project will bring up the following services: - -- 1x Events Generator (learn more in [wazuh-indexer/integrations/tools/events-generator](../tools/events-generator/README.md)). -- 1x Wazuh Indexer (OpenSearch). -- 1x Logstash -- 1x Elastic -- 1x Kibana - -For custom configurations, you may need to modify these files: - -- [docker/compose.indexer-elastic.yml](../docker/compose.indexer-elastic.yml): Docker Compose file. -- [docker/.env](../docker/.env): Environment variables file. -- [elastic/logstash/pipeline/indexer-to-elastic.conf](./logstash/pipeline/indexer-to-elastic.conf): Logstash Pipeline configuration file. - -Check the files above for **credentials**, ports, and other configurations. - -| Service | Address | Credentials | -| ------------- | ---------------------- | --------------- | -| Wazuh Indexer | https://localhost:9200 | admin:admin | -| Elastic | https://localhost:9201 | elastic:elastic | -| Kibana | https://localhost:5602 | elastic:elastic | - -## Importing the dashboards - -The dashboards for Elastic are included in [dashboards.ndjson](./dashboards.ndjson). The steps to import them to Elastic are the following: - -- On Kibana, expand the left menu, and go to `Stack management`. -- Click on `Saved Objects`, select `Import`, click on the `Import` icon and browse the dashboard file. -- Click on Import and complete the process. - -Imported dashboards will appear in the `Dashboards` app on the left menu. diff --git a/integrations/elastic/dashboards.ndjson b/integrations/elastic/dashboards.ndjson deleted file mode 100644 index a02f7704eb14e..0000000000000 --- a/integrations/elastic/dashboards.ndjson +++ /dev/null @@ -1,9 +0,0 @@ -{"attributes":{"fieldAttrs":"{}","fieldFormatMap":"{}","fields":"[]","name":"wazuh-alerts-4.x-*","runtimeFieldMap":"{}","sourceFilters":"[]","timeFieldName":"timestamp","title":"wazuh-alerts-4.x-*","typeMeta":"{}"},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T17:17:45.191Z","id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","migrationVersion":{"index-pattern":"8.0.0"},"references":[],"type":"index-pattern","updated_at":"2023-04-24T17:17:45.191Z","version":"WzI1MSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":7,\"y\":0,\"w\":8,\"h\":5,\"i\":\"9931cceb-51f1-4e47-bd26-491e7a624592\"},\"panelIndex\":\"9931cceb-51f1-4e47-bd26-491e7a624592\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-1dc5f9b1-9f0c-458b-98e6-e92708af5b9d\",\"type\":\"index-pattern\"},{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"b9624937-542e-4ac9-9f09-ae532ade3311\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"1dc5f9b1-9f0c-458b-98e6-e92708af5b9d\",\"accessor\":\"df19010a-26e5-446d-9d74-56fe2495e38b\",\"layerType\":\"data\",\"textAlign\":\"center\",\"size\":\"xxl\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#db5871\",\"stop\":2}],\"colorStops\":[{\"color\":\"#db5871\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"b9624937-542e-4ac9-9f09-ae532ade3311\",\"type\":\"exists\",\"key\":\"data.vulnerability.severity\",\"value\":\"exists\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{\"exists\":{\"field\":\"data.vulnerability.severity\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"1dc5f9b1-9f0c-458b-98e6-e92708af5b9d\":{\"columns\":{\"df19010a-26e5-446d-9d74-56fe2495e38b\":{\"label\":\"Critical Severity Alerts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":false,\"filter\":{\"query\":\"data.vulnerability.severity : \\\"Critical\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"df19010a-26e5-446d-9d74-56fe2495e38b\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":0,\"w\":8,\"h\":5,\"i\":\"a0b05cdd-c4b5-46b0-af2e-32253bd965e6\"},\"panelIndex\":\"a0b05cdd-c4b5-46b0-af2e-32253bd965e6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-fd6049b6-e52c-449e-9775-ded5ac1eac15\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"fd6049b6-e52c-449e-9775-ded5ac1eac15\",\"accessor\":\"2ce8bbeb-74d7-4e28-b616-6edd33c1f981\",\"layerType\":\"data\",\"textAlign\":\"center\",\"size\":\"xxl\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#0c5da3\",\"stop\":2}],\"colorStops\":[{\"color\":\"#0c5da3\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"fd6049b6-e52c-449e-9775-ded5ac1eac15\":{\"columns\":{\"2ce8bbeb-74d7-4e28-b616-6edd33c1f981\":{\"label\":\"Hight Severity Alerts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":false,\"filter\":{\"query\":\"data.vulnerability.severity : \\\"High\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"2ce8bbeb-74d7-4e28-b616-6edd33c1f981\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":0,\"w\":9,\"h\":5,\"i\":\"b22f2aba-370b-40f2-8f30-c7175fd21d84\"},\"panelIndex\":\"b22f2aba-370b-40f2-8f30-c7175fd21d84\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-a8774fa0-5ae6-4746-94bd-cd21a0210641\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"a8774fa0-5ae6-4746-94bd-cd21a0210641\",\"accessor\":\"b7764bb5-540b-4183-a8c5-e9e856e48949\",\"layerType\":\"data\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#007d73\",\"stop\":2}],\"colorStops\":[{\"color\":\"#007d73\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"textAlign\":\"center\",\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"a8774fa0-5ae6-4746-94bd-cd21a0210641\":{\"columns\":{\"b7764bb5-540b-4183-a8c5-e9e856e48949\":{\"label\":\"Medium Severity Alerts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":false,\"filter\":{\"query\":\"data.vulnerability.severity : \\\"Medium\\\" \",\"language\":\"kuery\"},\"reducedTimeRange\":\"\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"b7764bb5-540b-4183-a8c5-e9e856e48949\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":32,\"y\":0,\"w\":9,\"h\":5,\"i\":\"dad9436c-6a56-47cc-a52a-065c86d64c7f\"},\"panelIndex\":\"dad9436c-6a56-47cc-a52a-065c86d64c7f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-a397e361-0b6a-4d18-b957-2afce890f6c3\",\"type\":\"index-pattern\"},{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"a532bc3a-2caf-4353-9a37-17d4fb373b0d\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"a397e361-0b6a-4d18-b957-2afce890f6c3\",\"accessor\":\"c0f27509-4ce0-4eca-94c5-e1eddfc176e9\",\"layerType\":\"data\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#222222\",\"stop\":2}],\"colorStops\":[{\"color\":\"#222222\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"textAlign\":\"center\",\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"a532bc3a-2caf-4353-9a37-17d4fb373b0d\",\"alias\":\"data.vulnerability.severity : \\\"Low\\\" \",\"type\":\"custom\",\"key\":\"query\",\"value\":\"{\\\"bool\\\":{\\\"must\\\":[],\\\"filter\\\":[{\\\"bool\\\":{\\\"should\\\":[{\\\"term\\\":{\\\"data.vulnerability.severity\\\":\\\"Low\\\"}}],\\\"minimum_should_match\\\":1}}],\\\"should\\\":[],\\\"must_not\\\":[]}}\",\"disabled\":false,\"negate\":false},\"query\":{\"bool\":{\"must\":[],\"filter\":[{\"bool\":{\"should\":[{\"term\":{\"data.vulnerability.severity\":\"Low\"}}],\"minimum_should_match\":1}}],\"should\":[],\"must_not\":[]}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"a397e361-0b6a-4d18-b957-2afce890f6c3\":{\"columns\":{\"c0f27509-4ce0-4eca-94c5-e1eddfc176e9\":{\"label\":\"Low Severity Alerts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":false,\"filter\":{\"query\":\"data.vulnerability.severity : \\\"Low\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"c0f27509-4ce0-4eca-94c5-e1eddfc176e9\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":5,\"w\":25,\"h\":14,\"i\":\"8fe06d85-091b-47aa-a809-aae9150a3314\"},\"panelIndex\":\"8fe06d85-091b-47aa-a809-aae9150a3314\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-47832b00-8a1a-4d99-8631-89379474c236\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"curveType\":\"CURVE_MONOTONE_X\",\"fillOpacity\":1,\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"area_stacked\",\"layers\":[{\"layerId\":\"47832b00-8a1a-4d99-8631-89379474c236\",\"accessors\":[\"32448531-8094-4131-89c9-38ed77a620ec\"],\"position\":\"top\",\"seriesType\":\"area_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"yConfig\":[{\"forAccessor\":\"32448531-8094-4131-89c9-38ed77a620ec\",\"axisMode\":\"auto\"}],\"xAccessor\":\"f20c7be6-a511-4b95-be88-6de506dbf1d8\",\"splitAccessor\":\"526e79e6-d985-4fc0-b5f3-ec87f5d24b83\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"47832b00-8a1a-4d99-8631-89379474c236\":{\"columns\":{\"526e79e6-d985-4fc0-b5f3-ec87f5d24b83\":{\"label\":\"Top 5 values of data.vulnerability.severity\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"32448531-8094-4131-89c9-38ed77a620ec\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"f20c7be6-a511-4b95-be88-6de506dbf1d8\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"3h\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"32448531-8094-4131-89c9-38ed77a620ec\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"526e79e6-d985-4fc0-b5f3-ec87f5d24b83\",\"f20c7be6-a511-4b95-be88-6de506dbf1d8\",\"32448531-8094-4131-89c9-38ed77a620ec\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Alert severity\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":25,\"y\":5,\"w\":23,\"h\":14,\"i\":\"680cfedf-a868-4de2-8173-897f4df7f6d7\"},\"panelIndex\":\"680cfedf-a868-4de2-8173-897f4df7f6d7\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsHeatmap\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-6f9a4ce5-1395-4bc6-9dd6-0a8c130e9d8a\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"heatmap\",\"layerId\":\"6f9a4ce5-1395-4bc6-9dd6-0a8c130e9d8a\",\"layerType\":\"data\",\"legend\":{\"isVisible\":true,\"position\":\"right\",\"type\":\"heatmap_legend\"},\"gridConfig\":{\"type\":\"heatmap_grid\",\"isCellLabelVisible\":false,\"isYAxisLabelVisible\":true,\"isXAxisLabelVisible\":true,\"isYAxisTitleVisible\":false,\"isXAxisTitleVisible\":true,\"yTitle\":\"\"},\"valueAccessor\":\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\",\"yAccessor\":\"6fcc771b-b4e8-4684-80da-49b7b897dc24\",\"xAccessor\":\"e8d69708-c954-444b-a94f-9eb1befd3197\",\"palette\":{\"type\":\"palette\",\"name\":\"positive\",\"params\":{\"name\":\"positive\",\"continuity\":\"above\",\"reverse\":false,\"stops\":[{\"color\":\"#d6e9e4\",\"stop\":0},{\"color\":\"#aed3ca\",\"stop\":20},{\"color\":\"#85bdb1\",\"stop\":40},{\"color\":\"#5aa898\",\"stop\":60},{\"color\":\"#209280\",\"stop\":80}],\"rangeMin\":0,\"rangeMax\":null},\"accessor\":\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\"}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"6f9a4ce5-1395-4bc6-9dd6-0a8c130e9d8a\":{\"columns\":{\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":false},\"6fcc771b-b4e8-4684-80da-49b7b897dc24\":{\"label\":\"Top 3 values of data.vulnerability.severity\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.severity\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":false},\"e8d69708-c954-444b-a94f-9eb1befd3197\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"6fcc771b-b4e8-4684-80da-49b7b897dc24\",\"e8d69708-c954-444b-a94f-9eb1befd3197\",\"4e7e0e20-a869-417a-b9ba-fac0c17e10ed\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Vulnerabilities heat map\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":14,\"i\":\"5a8626af-2bc4-4317-ad7f-20622c16db0a\"},\"panelIndex\":\"5a8626af-2bc4-4317-ad7f-20622c16db0a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-d94ddf3d-d285-450e-aba4-46057df55fb7\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"542028d8-117e-4ee0-ba25-3ff4475940aa\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"e26de584-b46b-474e-bcd4-11bd37ff8e2e\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"1007fe8b-8a98-4b60-b8ef-93cd49227cd4\"},{\"isTransposed\":false,\"columnId\":\"ec84289b-cb43-4fae-9b94-7b17b696e4e0\"},{\"isTransposed\":false,\"columnId\":\"89ac7aeb-dfe3-449c-a109-6686a3610a4b\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\",\"hidden\":true},{\"columnId\":\"4732efcd-d7cd-4a02-8b03-c498b3bb637c\",\"isTransposed\":false},{\"columnId\":\"056be5db-ea40-4979-9985-8f0c73a8dcef\",\"isTransposed\":false}],\"layerId\":\"d94ddf3d-d285-450e-aba4-46057df55fb7\",\"layerType\":\"data\",\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d94ddf3d-d285-450e-aba4-46057df55fb7\":{\"columns\":{\"542028d8-117e-4ee0-ba25-3ff4475940aa\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"e26de584-b46b-474e-bcd4-11bd37ff8e2e\":{\"label\":\"data.vulnerability.cve\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.cve\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"1007fe8b-8a98-4b60-b8ef-93cd49227cd4\":{\"label\":\"data.vulnerability.package.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.package.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"ec84289b-cb43-4fae-9b94-7b17b696e4e0\":{\"label\":\"data.vulnerability.severity\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.package.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"89ac7aeb-dfe3-449c-a109-6686a3610a4b\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"4732efcd-d7cd-4a02-8b03-c498b3bb637c\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"056be5db-ea40-4979-9985-8f0c73a8dcef\":{\"label\":\"data.vulnerability.package.version\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.vulnerability.package.version\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"4732efcd-d7cd-4a02-8b03-c498b3bb637c\",\"542028d8-117e-4ee0-ba25-3ff4475940aa\",\"e26de584-b46b-474e-bcd4-11bd37ff8e2e\",\"1007fe8b-8a98-4b60-b8ef-93cd49227cd4\",\"056be5db-ea40-4979-9985-8f0c73a8dcef\",\"ec84289b-cb43-4fae-9b94-7b17b696e4e0\",\"89ac7aeb-dfe3-449c-a109-6686a3610a4b\",\"5a0e5d4b-1345-4f59-ba8b-662451bf949b\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Events\"}]","timeRestore":false,"title":"wazuh-vulnerabilities-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:37:41.475Z","id":"1e68dc60-e2b5-11ed-9db8-9f0e23f622c3","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"9931cceb-51f1-4e47-bd26-491e7a624592:indexpattern-datasource-layer-1dc5f9b1-9f0c-458b-98e6-e92708af5b9d","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"9931cceb-51f1-4e47-bd26-491e7a624592:b9624937-542e-4ac9-9f09-ae532ade3311","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"a0b05cdd-c4b5-46b0-af2e-32253bd965e6:indexpattern-datasource-layer-fd6049b6-e52c-449e-9775-ded5ac1eac15","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"b22f2aba-370b-40f2-8f30-c7175fd21d84:indexpattern-datasource-layer-a8774fa0-5ae6-4746-94bd-cd21a0210641","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"dad9436c-6a56-47cc-a52a-065c86d64c7f:indexpattern-datasource-layer-a397e361-0b6a-4d18-b957-2afce890f6c3","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"dad9436c-6a56-47cc-a52a-065c86d64c7f:a532bc3a-2caf-4353-9a37-17d4fb373b0d","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"8fe06d85-091b-47aa-a809-aae9150a3314:indexpattern-datasource-layer-47832b00-8a1a-4d99-8631-89379474c236","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"680cfedf-a868-4de2-8173-897f4df7f6d7:indexpattern-datasource-layer-6f9a4ce5-1395-4bc6-9dd6-0a8c130e9d8a","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"5a8626af-2bc4-4317-ad7f-20622c16db0a:indexpattern-datasource-layer-d94ddf3d-d285-450e-aba4-46057df55fb7","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:37:41.475Z","version":"WzQ3OSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":5,\"i\":\"c90b5ced-c476-4336-8248-5f5eee09b7d3\"},\"panelIndex\":\"c90b5ced-c476-4336-8248-5f5eee09b7d3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-f7d51ed1-e2c7-4eff-a2f0-426523a27b79\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"f7d51ed1-e2c7-4eff-a2f0-426523a27b79\",\"accessor\":\"bba216ab-0609-4fc7-9f00-3f95df7bd9e5\",\"layerType\":\"data\",\"textAlign\":\"center\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#1E75B6\",\"stop\":300}],\"colorStops\":[{\"color\":\"#1E75B6\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f7d51ed1-e2c7-4eff-a2f0-426523a27b79\":{\"columns\":{\"bba216ab-0609-4fc7-9f00-3f95df7bd9e5\":{\"label\":\"Total\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"bba216ab-0609-4fc7-9f00-3f95df7bd9e5\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":16,\"y\":0,\"w\":8,\"h\":5,\"i\":\"dc864252-a518-4187-80ca-b581ad14f1cb\"},\"panelIndex\":\"dc864252-a518-4187-80ca-b581ad14f1cb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-a63a4df1-6335-4d1e-a8fb-44d550e0513b\",\"type\":\"index-pattern\"},{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"4cd727d8-200d-4869-b702-ff540bd3ff56\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"a63a4df1-6335-4d1e-a8fb-44d550e0513b\",\"accessor\":\"65d5d9ac-208b-4393-b498-12f4351445bd\",\"layerType\":\"data\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#e57488\",\"stop\":8}],\"colorStops\":[{\"color\":\"#e57488\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"textAlign\":\"center\",\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"4cd727d8-200d-4869-b702-ff540bd3ff56\",\"alias\":\"rule.level >= 12\",\"type\":\"custom\",\"key\":\"query\",\"value\":\"{\\\"bool\\\":{\\\"must\\\":[],\\\"filter\\\":[{\\\"bool\\\":{\\\"should\\\":[{\\\"range\\\":{\\\"rule.level\\\":{\\\"gte\\\":\\\"12\\\"}}}],\\\"minimum_should_match\\\":1}}],\\\"should\\\":[],\\\"must_not\\\":[]}}\",\"disabled\":false,\"negate\":false},\"query\":{\"bool\":{\"must\":[],\"filter\":[{\"bool\":{\"should\":[{\"range\":{\"rule.level\":{\"gte\":\"12\"}}}],\"minimum_should_match\":1}}],\"should\":[],\"must_not\":[]}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"a63a4df1-6335-4d1e-a8fb-44d550e0513b\":{\"columns\":{\"65d5d9ac-208b-4393-b498-12f4351445bd\":{\"label\":\"Level 12 or above alerts\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.level >= 12\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"65d5d9ac-208b-4393-b498-12f4351445bd\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":0,\"w\":8,\"h\":5,\"i\":\"4bab10c4-2a6d-4f8f-8094-323581c98950\"},\"panelIndex\":\"4bab10c4-2a6d-4f8f-8094-323581c98950\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-28318134-b7bd-4faa-b21e-b0a6665b526f\",\"type\":\"index-pattern\"},{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"1b7728c2-28d0-40f9-81ed-74e77231242c\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"28318134-b7bd-4faa-b21e-b0a6665b526f\",\"accessor\":\"e1a6a50b-cffe-4c92-b756-bad658aee97d\",\"layerType\":\"data\",\"textAlign\":\"center\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#d4458d\",\"stop\":4}],\"colorStops\":[{\"color\":\"#d4458d\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"1b7728c2-28d0-40f9-81ed-74e77231242c\",\"alias\":\"rule.groups : \\\"authentication_failed\\\" or \\\"win_authentication_failed\\\" or \\\"authentication_failures\\\"\",\"type\":\"custom\",\"key\":\"query\",\"value\":\"{\\\"bool\\\":{\\\"must\\\":[],\\\"filter\\\":[{\\\"bool\\\":{\\\"should\\\":[{\\\"bool\\\":{\\\"should\\\":[{\\\"term\\\":{\\\"rule.groups\\\":\\\"authentication_failed\\\"}}],\\\"minimum_should_match\\\":1}},{\\\"multi_match\\\":{\\\"type\\\":\\\"phrase\\\",\\\"query\\\":\\\"win_authentication_failed\\\",\\\"lenient\\\":true}},{\\\"multi_match\\\":{\\\"type\\\":\\\"phrase\\\",\\\"query\\\":\\\"authentication_failures\\\",\\\"lenient\\\":true}}],\\\"minimum_should_match\\\":1}}],\\\"should\\\":[],\\\"must_not\\\":[]}}\",\"disabled\":false,\"negate\":false},\"query\":{\"bool\":{\"must\":[],\"filter\":[{\"bool\":{\"should\":[{\"bool\":{\"should\":[{\"term\":{\"rule.groups\":\"authentication_failed\"}}],\"minimum_should_match\":1}},{\"multi_match\":{\"type\":\"phrase\",\"query\":\"win_authentication_failed\",\"lenient\":true}},{\"multi_match\":{\"type\":\"phrase\",\"query\":\"authentication_failures\",\"lenient\":true}}],\"minimum_should_match\":1}}],\"should\":[],\"must_not\":[]}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"28318134-b7bd-4faa-b21e-b0a6665b526f\":{\"columns\":{\"e1a6a50b-cffe-4c92-b756-bad658aee97d\":{\"label\":\"Athentication failure\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"rule.groups\",\"isBucketed\":false,\"filter\":{\"query\":\"rule.groups : \\\"authentication_failed\\\" or \\\"win_authentication_failed\\\" or \\\"authentication_failures\\\"\",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"e1a6a50b-cffe-4c92-b756-bad658aee97d\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":32,\"y\":0,\"w\":8,\"h\":5,\"i\":\"3cc5e7d4-2f44-438e-8529-6dfae4e29b16\"},\"panelIndex\":\"3cc5e7d4-2f44-438e-8529-6dfae4e29b16\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsLegacyMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-67c3da39-aad2-4ff4-812f-15cf135b2d12\",\"type\":\"index-pattern\"},{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"933a08d4-fd4c-4829-938c-df17bc87af15\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"67c3da39-aad2-4ff4-812f-15cf135b2d12\",\"accessor\":\"ea00d671-3e3a-434a-8813-1dfa3a023112\",\"layerType\":\"data\",\"textAlign\":\"center\",\"colorMode\":\"Labels\",\"palette\":{\"name\":\"custom\",\"type\":\"palette\",\"params\":{\"steps\":3,\"name\":\"custom\",\"reverse\":false,\"rangeType\":\"number\",\"rangeMin\":null,\"rangeMax\":null,\"progression\":\"fixed\",\"stops\":[{\"color\":\"#1a938a\",\"stop\":2}],\"colorStops\":[{\"color\":\"#1a938a\",\"stop\":null}],\"continuity\":\"all\",\"maxSteps\":5}},\"size\":\"xxl\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"index\":\"933a08d4-fd4c-4829-938c-df17bc87af15\",\"type\":\"exists\",\"key\":\"rule.groups\",\"value\":\"exists\",\"disabled\":false,\"negate\":false,\"alias\":null},\"query\":{\"exists\":{\"field\":\"rule.groups\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"formBased\":{\"layers\":{\"67c3da39-aad2-4ff4-812f-15cf135b2d12\":{\"columns\":{\"ea00d671-3e3a-434a-8813-1dfa3a023112\":{\"label\":\"Authentication success\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"rule.groups\",\"isBucketed\":false,\"filter\":{\"query\":\"rule.groups: \\\"authentication_success\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"ea00d671-3e3a-434a-8813-1dfa3a023112\"],\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":5,\"w\":32,\"h\":14,\"i\":\"fc1f8b94-2637-4f4d-a998-f6a59c6b9e7e\"},\"panelIndex\":\"fc1f8b94-2637-4f4d-a998-f6a59c6b9e7e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-e8600050-5477-49a7-a28e-ce9a47ded5f5\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"e8600050-5477-49a7-a28e-ce9a47ded5f5\",\"accessors\":[\"8d76d731-1e09-4706-b3d9-48108dd7dd32\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"splitAccessor\":\"3f2d0dea-171c-41ed-9452-29106c10a968\",\"xAccessor\":\"c5296771-93c8-48cb-bf57-cad19d8c829e\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"e8600050-5477-49a7-a28e-ce9a47ded5f5\":{\"columns\":{\"8d76d731-1e09-4706-b3d9-48108dd7dd32\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"c5296771-93c8-48cb-bf57-cad19d8c829e\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":false,\"dropPartials\":false}},\"3f2d0dea-171c-41ed-9452-29106c10a968\":{\"label\":\"Top 5 values of agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"8d76d731-1e09-4706-b3d9-48108dd7dd32\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"3f2d0dea-171c-41ed-9452-29106c10a968\",\"c5296771-93c8-48cb-bf57-cad19d8c829e\",\"8d76d731-1e09-4706-b3d9-48108dd7dd32\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Alerts evolution - Top 5 agents\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":32,\"y\":5,\"w\":16,\"h\":14,\"i\":\"e35f33d0-784d-471a-842e-576523d0ca80\"},\"panelIndex\":\"e35f33d0-784d-471a-842e-576523d0ca80\",\"embeddableConfig\":{\"attributes\":{\"title\":\"Top Mitre\",\"description\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-d2ef6c07-620f-431e-85f2-77175187e0fe\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"pie\",\"layers\":[{\"layerId\":\"d2ef6c07-620f-431e-85f2-77175187e0fe\",\"primaryGroups\":[\"a676e778-cad9-431e-b520-3e87b3a0afb2\"],\"metrics\":[\"c2640e02-f544-4f25-a0a4-aaec8e9e2f47\"],\"numberDisplay\":\"percent\",\"categoryDisplay\":\"hide\",\"legendDisplay\":\"show\",\"nestedLegend\":false,\"layerType\":\"data\",\"emptySizeRatio\":0.3,\"legendSize\":\"xlarge\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"d2ef6c07-620f-431e-85f2-77175187e0fe\":{\"columns\":{\"a676e778-cad9-431e-b520-3e87b3a0afb2\":{\"label\":\"Top 5 values of rule.mitre.tactic\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.mitre.tactic\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"c2640e02-f544-4f25-a0a4-aaec8e9e2f47\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"c2640e02-f544-4f25-a0a4-aaec8e9e2f47\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"a676e778-cad9-431e-b520-3e87b3a0afb2\",\"c2640e02-f544-4f25-a0a4-aaec8e9e2f47\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Top Mitre ATT&K tactics\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":15,\"i\":\"ee6f5f4c-2a18-4733-a593-23c1f2a24376\"},\"panelIndex\":\"ee6f5f4c-2a18-4733-a593-23c1f2a24376\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-f001be29-b6cc-4c99-8aae-5941a7f9a8ee\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"72a21fae-312d-4cbb-8a94-fa24d4b29933\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"884cc56d-feb1-40dd-89a9-e006ec72dd85\"},{\"isTransposed\":false,\"columnId\":\"5333b889-bfc5-4e1a-a4e3-54828d1dd91b\"},{\"isTransposed\":false,\"columnId\":\"b3369c71-8edb-4569-89df-883f23ea2785\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\",\"hidden\":true,\"colorMode\":\"none\"},{\"columnId\":\"6bb85b4f-0834-416d-8ade-49d83caac7ee\",\"isTransposed\":false,\"oneClickFilter\":false},{\"columnId\":\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\",\"isTransposed\":false},{\"columnId\":\"c74264a6-eb65-4232-9444-a503723c6fdf\",\"isTransposed\":false,\"oneClickFilter\":true}],\"layerId\":\"f001be29-b6cc-4c99-8aae-5941a7f9a8ee\",\"layerType\":\"data\",\"headerRowHeight\":\"custom\",\"headerRowHeightLines\":2,\"rowHeight\":\"custom\",\"rowHeightLines\":2,\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f001be29-b6cc-4c99-8aae-5941a7f9a8ee\":{\"columns\":{\"72a21fae-312d-4cbb-8a94-fa24d4b29933\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"884cc56d-feb1-40dd-89a9-e006ec72dd85\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"5333b889-bfc5-4e1a-a4e3-54828d1dd91b\":{\"label\":\"rule.mitre.tactic\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.mitre.tactic\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"b3369c71-8edb-4569-89df-883f23ea2785\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"233f059c-ccd6-4a64-a6be-4961a3c4d500\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"6bb85b4f-0834-416d-8ade-49d83caac7ee\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"}},\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"c74264a6-eb65-4232-9444-a503723c6fdf\":{\"label\":\"rule.mitre.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.mitre.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\",\"72a21fae-312d-4cbb-8a94-fa24d4b29933\",\"c74264a6-eb65-4232-9444-a503723c6fdf\",\"5333b889-bfc5-4e1a-a4e3-54828d1dd91b\",\"884cc56d-feb1-40dd-89a9-e006ec72dd85\",\"6bb85b4f-0834-416d-8ade-49d83caac7ee\",\"b3369c71-8edb-4569-89df-883f23ea2785\",\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Security alerts\"}]","timeRestore":false,"title":"wazuh-security-events-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:37:25.862Z","id":"1002c610-a23f-11ed-9c45-1d7f2cbf4bd8","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"c90b5ced-c476-4336-8248-5f5eee09b7d3:indexpattern-datasource-layer-f7d51ed1-e2c7-4eff-a2f0-426523a27b79","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"dc864252-a518-4187-80ca-b581ad14f1cb:indexpattern-datasource-layer-a63a4df1-6335-4d1e-a8fb-44d550e0513b","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"dc864252-a518-4187-80ca-b581ad14f1cb:4cd727d8-200d-4869-b702-ff540bd3ff56","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"4bab10c4-2a6d-4f8f-8094-323581c98950:indexpattern-datasource-layer-28318134-b7bd-4faa-b21e-b0a6665b526f","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"4bab10c4-2a6d-4f8f-8094-323581c98950:1b7728c2-28d0-40f9-81ed-74e77231242c","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"3cc5e7d4-2f44-438e-8529-6dfae4e29b16:indexpattern-datasource-layer-67c3da39-aad2-4ff4-812f-15cf135b2d12","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"3cc5e7d4-2f44-438e-8529-6dfae4e29b16:933a08d4-fd4c-4829-938c-df17bc87af15","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"fc1f8b94-2637-4f4d-a998-f6a59c6b9e7e:indexpattern-datasource-layer-e8600050-5477-49a7-a28e-ce9a47ded5f5","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"e35f33d0-784d-471a-842e-576523d0ca80:indexpattern-datasource-layer-d2ef6c07-620f-431e-85f2-77175187e0fe","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"ee6f5f4c-2a18-4733-a593-23c1f2a24376:indexpattern-datasource-layer-f001be29-b6cc-4c99-8aae-5941a7f9a8ee","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:37:25.862Z","version":"WzQ3MiwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":29,\"h\":15,\"i\":\"976e6302-500a-427c-bd29-75cee9034fe6\"},\"panelIndex\":\"976e6302-500a-427c-bd29-75cee9034fe6\",\"embeddableConfig\":{\"savedVis\":{\"id\":\"\",\"title\":\"PCI DSS requirements\",\"description\":\"\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false,\"valueAxis\":\"\"},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{},\"style\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"\"},\"style\":{}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":0,\"showCircles\":true,\"circlesRadius\":10,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"detailedTooltip\":true,\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"addLegend\":true,\"legendPosition\":\"right\",\"fittingFunction\":\"linear\",\"times\":[],\"addTimeMarker\":false,\"truncateLegend\":true,\"maxLegendLines\":1,\"radiusRatio\":9,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"labels\":{}},\"uiState\":{},\"data\":{\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"emptyAsNull\":false},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-10w\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"extendToTimeRange\":false,\"scaleMetricValues\":false,\"interval\":\"auto\",\"used_interval\":\"1d\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.pci_dss\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"includeIsRegex\":true,\"excludeIsRegex\":true},\"schema\":\"group\"}],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}}},\"enhancements\":{}}},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":15,\"i\":\"d299d776-0b4f-4955-b7d6-5717119dba59\"},\"panelIndex\":\"d299d776-0b4f-4955-b7d6-5717119dba59\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-c85ec231-a4fc-495d-b8d6-1aad7dc1e489\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"c85ec231-a4fc-495d-b8d6-1aad7dc1e489\",\"accessors\":[\"0ca7b7c5-03fd-401d-bd44-201d8ca00b25\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"e17436ee-06c3-4b4e-acda-f8d379648407\",\"splitAccessor\":\"852bf376-24f0-4b54-8568-0964c3289eb4\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c85ec231-a4fc-495d-b8d6-1aad7dc1e489\":{\"columns\":{\"e17436ee-06c3-4b4e-acda-f8d379648407\":{\"label\":\"Requirements\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.pci_dss\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"0ca7b7c5-03fd-401d-bd44-201d8ca00b25\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"0ca7b7c5-03fd-401d-bd44-201d8ca00b25\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"852bf376-24f0-4b54-8568-0964c3289eb4\":{\"label\":\"Top 5 values of agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"0ca7b7c5-03fd-401d-bd44-201d8ca00b25\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"e17436ee-06c3-4b4e-acda-f8d379648407\",\"852bf376-24f0-4b54-8568-0964c3289eb4\",\"0ca7b7c5-03fd-401d-bd44-201d8ca00b25\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Requirements by agent\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":15,\"w\":48,\"h\":17,\"i\":\"f3674cc2-b4c6-44e1-baa9-6dcb9b932a01\"},\"panelIndex\":\"f3674cc2-b4c6-44e1-baa9-6dcb9b932a01\",\"embeddableConfig\":{\"attributes\":{\"title\":\"PCI DSS\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-951964d6-a0d3-4593-911f-b598f1bdd7a6\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"951964d6-a0d3-4593-911f-b598f1bdd7a6\",\"layerType\":\"data\",\"columns\":[{\"isTransposed\":false,\"columnId\":\"27ae8c68-e64e-4824-9422-df1611b74c58\"},{\"isTransposed\":false,\"columnId\":\"30508bd4-917e-4614-9922-c445af8e8a8f\"},{\"isTransposed\":false,\"columnId\":\"7044d45a-dce5-4fbe-8af4-64a9b1e14840\"},{\"isTransposed\":false,\"columnId\":\"49885e99-2da3-4165-9b20-9d78ccaca4bd\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"df70835d-3cfb-4ead-a942-d60c00330c30\"},{\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\",\"isTransposed\":false,\"hidden\":true},{\"columnId\":\"f96a237b-410c-475c-863e-60acde29fc71\",\"isTransposed\":false,\"oneClickFilter\":true}],\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"951964d6-a0d3-4593-911f-b598f1bdd7a6\":{\"columns\":{\"27ae8c68-e64e-4824-9422-df1611b74c58\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"30508bd4-917e-4614-9922-c445af8e8a8f\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"7044d45a-dce5-4fbe-8af4-64a9b1e14840\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"49885e99-2da3-4165-9b20-9d78ccaca4bd\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"df70835d-3cfb-4ead-a942-d60c00330c30\":{\"label\":\"rule.pci_dss\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.pci_dss\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"f96a237b-410c-475c-863e-60acde29fc71\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"7044d45a-dce5-4fbe-8af4-64a9b1e14840\",\"49885e99-2da3-4165-9b20-9d78ccaca4bd\",\"df70835d-3cfb-4ead-a942-d60c00330c30\",\"27ae8c68-e64e-4824-9422-df1611b74c58\",\"30508bd4-917e-4614-9922-c445af8e8a8f\",\"f96a237b-410c-475c-863e-60acde29fc71\",\"f7cf15d8-617e-4a52-bdc2-6b94a9c722ad\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Recent events\"}]","timeRestore":false,"title":"wazuh-pci-dss-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:37:10.201Z","id":"ad09bc40-a634-11ed-8b0e-91d62e747cc9","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"976e6302-500a-427c-bd29-75cee9034fe6:kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"d299d776-0b4f-4955-b7d6-5717119dba59:indexpattern-datasource-layer-c85ec231-a4fc-495d-b8d6-1aad7dc1e489","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"f3674cc2-b4c6-44e1-baa9-6dcb9b932a01:indexpattern-datasource-layer-951964d6-a0d3-4593-911f-b598f1bdd7a6","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:37:10.201Z","version":"WzQ2NSwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":18,\"h\":13,\"i\":\"847a1b06-c15d-41a2-9a08-73b056e959fb\"},\"panelIndex\":\"847a1b06-c15d-41a2-9a08-73b056e959fb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-0c3e7889-e551-4507-bb13-1a4ff7d96f96\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"curveType\":\"LINEAR\",\"fillOpacity\":1,\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"area_stacked\",\"layers\":[{\"layerId\":\"0c3e7889-e551-4507-bb13-1a4ff7d96f96\",\"accessors\":[\"9b7ab5ea-5a4d-4fc1-a493-861ed613bfdb\"],\"position\":\"top\",\"seriesType\":\"area_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"f4e6f4ad-fca2-4012-9dc4-a34df1d4a5ec\",\"yConfig\":[{\"forAccessor\":\"9b7ab5ea-5a4d-4fc1-a493-861ed613bfdb\",\"color\":\"#40d4e0\"}]}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"0c3e7889-e551-4507-bb13-1a4ff7d96f96\":{\"columns\":{\"f4e6f4ad-fca2-4012-9dc4-a34df1d4a5ec\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"9b7ab5ea-5a4d-4fc1-a493-861ed613bfdb\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.groups : \\\"rootcheck\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"f4e6f4ad-fca2-4012-9dc4-a34df1d4a5ec\",\"9b7ab5ea-5a4d-4fc1-a493-861ed613bfdb\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Emotet malware activity\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":18,\"y\":0,\"w\":30,\"h\":13,\"i\":\"cc5ad74e-c871-4ac3-9487-328adc286921\"},\"panelIndex\":\"cc5ad74e-c871-4ac3-9487-328adc286921\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-5ccb00b3-1675-4c9f-a542-927c5930e66e\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"5ccb00b3-1675-4c9f-a542-927c5930e66e\",\"accessors\":[\"f001735e-ca2b-455d-a50a-b7f44b005f0b\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"b662da8a-50ee-4dae-a2bb-25861753d95c\",\"splitAccessor\":\"52edc505-8c8a-4965-a3f3-46ca861738af\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"5ccb00b3-1675-4c9f-a542-927c5930e66e\":{\"columns\":{\"52edc505-8c8a-4965-a3f3-46ca861738af\":{\"label\":\"Top 5 values of data.title\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.title\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f001735e-ca2b-455d-a50a-b7f44b005f0b\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]}},\"b662da8a-50ee-4dae-a2bb-25861753d95c\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"f001735e-ca2b-455d-a50a-b7f44b005f0b\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.groups : \\\"rootcheck\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"52edc505-8c8a-4965-a3f3-46ca861738af\",\"b662da8a-50ee-4dae-a2bb-25861753d95c\",\"f001735e-ca2b-455d-a50a-b7f44b005f0b\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Rootkits activity over time\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":21,\"i\":\"e3873842-502a-4ba4-a3ab-d5bcdc9d908c\"},\"panelIndex\":\"e3873842-502a-4ba4-a3ab-d5bcdc9d908c\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-777017d9-58d0-4f3f-8461-64af784d41a4\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"56e30fec-0d21-4af5-9751-7630c08713e8\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"94ca03f4-c063-4be7-b4c1-007c8a6d271a\"},{\"isTransposed\":false,\"columnId\":\"1169cee0-a32f-48d2-8e12-2919736d710a\"},{\"isTransposed\":false,\"columnId\":\"23107287-fb86-49ea-bdea-79d55b5e7ea4\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"125edb0b-de81-41b8-9612-1d87188e2b12\"},{\"isTransposed\":false,\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\",\"hidden\":true},{\"columnId\":\"694278f2-f767-4450-90f5-4a95905e989f\",\"isTransposed\":false},{\"columnId\":\"1073b1b6-aa33-4e11-841b-0b6459a56603\",\"isTransposed\":false}],\"layerId\":\"777017d9-58d0-4f3f-8461-64af784d41a4\",\"layerType\":\"data\",\"headerRowHeight\":\"custom\",\"headerRowHeightLines\":2,\"rowHeight\":\"custom\",\"rowHeightLines\":2,\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"777017d9-58d0-4f3f-8461-64af784d41a4\":{\"columns\":{\"56e30fec-0d21-4af5-9751-7630c08713e8\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"94ca03f4-c063-4be7-b4c1-007c8a6d271a\":{\"label\":\"rule.mitre.technique\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.mitre.technique\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"1169cee0-a32f-48d2-8e12-2919736d710a\":{\"label\":\"rule.mitre.tactic\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.mitre.tactic\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"23107287-fb86-49ea-bdea-79d55b5e7ea4\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"125edb0b-de81-41b8-9612-1d87188e2b12\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"a1caa30b-78e1-493d-bb05-f29242d47609\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.groups : \\\"rootcheck\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"694278f2-f767-4450-90f5-4a95905e989f\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"1073b1b6-aa33-4e11-841b-0b6459a56603\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"a1caa30b-78e1-493d-bb05-f29242d47609\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"694278f2-f767-4450-90f5-4a95905e989f\",\"56e30fec-0d21-4af5-9751-7630c08713e8\",\"94ca03f4-c063-4be7-b4c1-007c8a6d271a\",\"1169cee0-a32f-48d2-8e12-2919736d710a\",\"1073b1b6-aa33-4e11-841b-0b6459a56603\",\"23107287-fb86-49ea-bdea-79d55b5e7ea4\",\"125edb0b-de81-41b8-9612-1d87188e2b12\",\"a1caa30b-78e1-493d-bb05-f29242d47609\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Security alerts\"}]","timeRestore":false,"title":"wazuh-malware-detection-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:36:31.797Z","id":"f9bb41b0-a3cf-11ed-9187-5147a2b9eedf","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"847a1b06-c15d-41a2-9a08-73b056e959fb:indexpattern-datasource-layer-0c3e7889-e551-4507-bb13-1a4ff7d96f96","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"cc5ad74e-c871-4ac3-9487-328adc286921:indexpattern-datasource-layer-5ccb00b3-1675-4c9f-a542-927c5930e66e","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"e3873842-502a-4ba4-a3ab-d5bcdc9d908c:indexpattern-datasource-layer-777017d9-58d0-4f3f-8461-64af784d41a4","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:36:31.797Z","version":"WzQwNywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":15,\"h\":13,\"i\":\"caf3fb07-a3b0-4f51-b000-926f4b26ee4f\"},\"panelIndex\":\"caf3fb07-a3b0-4f51-b000-926f4b26ee4f\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-3ef3cbb5-abf3-4697-9e38-f4cf60bcdd5d\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"3ef3cbb5-abf3-4697-9e38-f4cf60bcdd5d\",\"primaryGroups\":[\"ccea2153-9f5c-4f65-9346-1feceb3783eb\"],\"metrics\":[\"06ae1d26-0a3a-4f59-b5bd-8cb93b640f86\"],\"numberDisplay\":\"hidden\",\"categoryDisplay\":\"hide\",\"legendDisplay\":\"show\",\"nestedLegend\":false,\"layerType\":\"data\",\"emptySizeRatio\":0.7,\"legendSize\":\"large\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"3ef3cbb5-abf3-4697-9e38-f4cf60bcdd5d\":{\"columns\":{\"06ae1d26-0a3a-4f59-b5bd-8cb93b640f86\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"filter\":{\"query\":\"\",\"language\":\"kuery\"}},\"ccea2153-9f5c-4f65-9346-1feceb3783eb\":{\"label\":\"Top 5 values of rule.groups\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.groups\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"06ae1d26-0a3a-4f59-b5bd-8cb93b640f86\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"ccea2153-9f5c-4f65-9346-1feceb3783eb\",\"06ae1d26-0a3a-4f59-b5bd-8cb93b640f86\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Alert groups\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":15,\"y\":0,\"w\":33,\"h\":13,\"i\":\"115417e6-11a1-4a55-8055-220b69dad98e\"},\"panelIndex\":\"115417e6-11a1-4a55-8055-220b69dad98e\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-54e72470-df75-47d1-a7a6-3d2f807a39d1\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":false,\"position\":\"right\",\"showSingleSeries\":false},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"54e72470-df75-47d1-a7a6-3d2f807a39d1\",\"accessors\":[\"db53a2e0-d936-4f7c-86bb-fc4e20810e64\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"f518cf1a-0d1d-44c7-97a0-12c5cd840e14\",\"splitAccessor\":\"a195fccb-9268-453a-b824-54f1e3f72d12\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"54e72470-df75-47d1-a7a6-3d2f807a39d1\":{\"columns\":{\"a195fccb-9268-453a-b824-54f1e3f72d12\":{\"label\":\"Top 5 values of rule.groups\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.groups\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"db53a2e0-d936-4f7c-86bb-fc4e20810e64\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"f518cf1a-0d1d-44c7-97a0-12c5cd840e14\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"db53a2e0-d936-4f7c-86bb-fc4e20810e64\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.groups : \\\"audit\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"a195fccb-9268-453a-b824-54f1e3f72d12\",\"f518cf1a-0d1d-44c7-97a0-12c5cd840e14\",\"db53a2e0-d936-4f7c-86bb-fc4e20810e64\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Events\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":13,\"w\":48,\"h\":13,\"i\":\"edc2487b-0a85-4975-b841-457471ee5cd0\"},\"panelIndex\":\"edc2487b-0a85-4975-b841-457471ee5cd0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-f001be29-b6cc-4c99-8aae-5941a7f9a8ee\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"5f8c9137-f9b6-4074-ba6c-9fa777b6afdf\"},{\"columnId\":\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\",\"isTransposed\":false},{\"isTransposed\":false,\"columnId\":\"72a21fae-312d-4cbb-8a94-fa24d4b29933\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"884cc56d-feb1-40dd-89a9-e006ec72dd85\"},{\"columnId\":\"6bb85b4f-0834-416d-8ade-49d83caac7ee\",\"isTransposed\":false,\"oneClickFilter\":false},{\"isTransposed\":false,\"columnId\":\"b3369c71-8edb-4569-89df-883f23ea2785\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\",\"hidden\":true,\"colorMode\":\"none\"}],\"layerId\":\"f001be29-b6cc-4c99-8aae-5941a7f9a8ee\",\"layerType\":\"data\",\"headerRowHeight\":\"custom\",\"headerRowHeightLines\":2,\"rowHeight\":\"custom\",\"rowHeightLines\":2,\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"f001be29-b6cc-4c99-8aae-5941a7f9a8ee\":{\"columns\":{\"5f8c9137-f9b6-4074-ba6c-9fa777b6afdf\":{\"label\":\"rule.groups\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.groups\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"72a21fae-312d-4cbb-8a94-fa24d4b29933\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"884cc56d-feb1-40dd-89a9-e006ec72dd85\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"6bb85b4f-0834-416d-8ade-49d83caac7ee\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"}},\"b3369c71-8edb-4569-89df-883f23ea2785\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"233f059c-ccd6-4a64-a6be-4961a3c4d500\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"4a2c3535-ba05-42d2-8dbb-5218d3309ea6\",\"72a21fae-312d-4cbb-8a94-fa24d4b29933\",\"5f8c9137-f9b6-4074-ba6c-9fa777b6afdf\",\"884cc56d-feb1-40dd-89a9-e006ec72dd85\",\"6bb85b4f-0834-416d-8ade-49d83caac7ee\",\"b3369c71-8edb-4569-89df-883f23ea2785\",\"233f059c-ccd6-4a64-a6be-4961a3c4d500\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":true},\"title\":\"Security alerts\"}]","timeRestore":false,"title":"wazuh-incident-response-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:36:14.435Z","id":"e30257a0-a641-11ed-8b0e-91d62e747cc9","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"caf3fb07-a3b0-4f51-b000-926f4b26ee4f:indexpattern-datasource-layer-3ef3cbb5-abf3-4697-9e38-f4cf60bcdd5d","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"115417e6-11a1-4a55-8055-220b69dad98e:indexpattern-datasource-layer-54e72470-df75-47d1-a7a6-3d2f807a39d1","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"edc2487b-0a85-4975-b841-457471ee5cd0:indexpattern-datasource-layer-f001be29-b6cc-4c99-8aae-5941a7f9a8ee","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:36:14.435Z","version":"WzQwMCwxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":12,\"i\":\"9c90478b-ef8d-4f0a-89ea-7cac2fb2b631\"},\"panelIndex\":\"9c90478b-ef8d-4f0a-89ea-7cac2fb2b631\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-b9d91550-4d81-4724-926b-368cbac70c5c\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"b9d91550-4d81-4724-926b-368cbac70c5c\",\"primaryGroups\":[\"393155df-15ed-400b-bef4-be554873a6c6\"],\"metrics\":[\"bc0afca3-aed2-4b22-970c-c91ac3e2bc02\"],\"numberDisplay\":\"percent\",\"categoryDisplay\":\"hide\",\"legendDisplay\":\"show\",\"nestedLegend\":false,\"layerType\":\"data\",\"emptySizeRatio\":0.7}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"b9d91550-4d81-4724-926b-368cbac70c5c\":{\"columns\":{\"393155df-15ed-400b-bef4-be554873a6c6\":{\"label\":\"Top 5 values of data.docker.Action\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.docker.Action\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"bc0afca3-aed2-4b22-970c-c91ac3e2bc02\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}},\"bc0afca3-aed2-4b22-970c-c91ac3e2bc02\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"393155df-15ed-400b-bef4-be554873a6c6\",\"bc0afca3-aed2-4b22-970c-c91ac3e2bc02\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Top 5 events\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":14,\"y\":0,\"w\":34,\"h\":12,\"i\":\"ec92f542-1336-4a92-90e6-548fa7a78db6\"},\"panelIndex\":\"ec92f542-1336-4a92-90e6-548fa7a78db6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-45315f08-c693-4bdc-aa72-8546f280b2b2\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"45315f08-c693-4bdc-aa72-8546f280b2b2\",\"accessors\":[\"69651d63-8697-41d8-b639-5d77e806c90a\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"93ae869a-82d8-4825-9391-568728d510a7\",\"splitAccessor\":\"588460de-4d21-471e-922f-0b59d3ec977f\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"45315f08-c693-4bdc-aa72-8546f280b2b2\":{\"columns\":{\"93ae869a-82d8-4825-9391-568728d510a7\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"69651d63-8697-41d8-b639-5d77e806c90a\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true},\"customLabel\":true},\"588460de-4d21-471e-922f-0b59d3ec977f\":{\"label\":\"Top 3 values of data.docker.Type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.docker.Type\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"69651d63-8697-41d8-b639-5d77e806c90a\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false}}},\"columnOrder\":[\"588460de-4d21-471e-922f-0b59d3ec977f\",\"93ae869a-82d8-4825-9391-568728d510a7\",\"69651d63-8697-41d8-b639-5d77e806c90a\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Events by source over time\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":12,\"w\":48,\"h\":37,\"i\":\"cac9a63e-4892-4879-bd94-210fd3b5b3d0\"},\"panelIndex\":\"cac9a63e-4892-4879-bd94-210fd3b5b3d0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-c51272e9-4ceb-4095-a2a2-7d27d957fc4e\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"1cedf71d-5da2-423a-8108-0d28190dc1f2\",\"isTransposed\":false},{\"columnId\":\"09e332ce-350b-499a-8df5-9b15ed375c20\",\"isTransposed\":false,\"oneClickFilter\":true},{\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\",\"isTransposed\":false,\"hidden\":true},{\"columnId\":\"655b8229-82ac-4302-a97c-a5b1778f22f9\",\"isTransposed\":false},{\"columnId\":\"c47bc042-54fd-4134-9cec-05f36c5c95e0\",\"isTransposed\":false},{\"columnId\":\"1bef96c9-5098-47db-9d76-2eba9c1cfd33\",\"isTransposed\":false},{\"columnId\":\"a61f2679-de38-4a5d-b105-dab5d341a400\",\"isTransposed\":false},{\"columnId\":\"f7109d3b-68d4-418c-b4c4-fe451858d375\",\"isTransposed\":false},{\"columnId\":\"28c7593f-f805-4cbd-afed-94dfdbde7d29\",\"isTransposed\":false,\"oneClickFilter\":true}],\"layerId\":\"c51272e9-4ceb-4095-a2a2-7d27d957fc4e\",\"layerType\":\"data\",\"headerRowHeight\":\"custom\",\"headerRowHeightLines\":2,\"rowHeight\":\"custom\",\"rowHeightLines\":2,\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c51272e9-4ceb-4095-a2a2-7d27d957fc4e\":{\"columns\":{\"1cedf71d-5da2-423a-8108-0d28190dc1f2\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"09e332ce-350b-499a-8df5-9b15ed375c20\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"e323b79e-be8f-458d-80b9-100d79e6fc3c\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"655b8229-82ac-4302-a97c-a5b1778f22f9\":{\"label\":\"data.docker.Type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.docker.Type\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"c47bc042-54fd-4134-9cec-05f36c5c95e0\":{\"label\":\"data.docker.Action\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.docker.Action\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]},\"customLabel\":true},\"1bef96c9-5098-47db-9d76-2eba9c1cfd33\":{\"label\":\"data.docker.Actor.ID\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.docker.Actor.ID\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"a61f2679-de38-4a5d-b105-dab5d341a400\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"f7109d3b-68d4-418c-b4c4-fe451858d375\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"}},\"28c7593f-f805-4cbd-afed-94dfdbde7d29\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"1cedf71d-5da2-423a-8108-0d28190dc1f2\",\"09e332ce-350b-499a-8df5-9b15ed375c20\",\"655b8229-82ac-4302-a97c-a5b1778f22f9\",\"1bef96c9-5098-47db-9d76-2eba9c1cfd33\",\"c47bc042-54fd-4134-9cec-05f36c5c95e0\",\"a61f2679-de38-4a5d-b105-dab5d341a400\",\"f7109d3b-68d4-418c-b4c4-fe451858d375\",\"28c7593f-f805-4cbd-afed-94dfdbde7d29\",\"e323b79e-be8f-458d-80b9-100d79e6fc3c\"],\"sampling\":1,\"incompleteColumns\":{}}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Events\"}]","timeRestore":false,"title":"wazuh-docker-listener-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:35:50.548Z","id":"8359c240-a7cf-11ed-8b0e-91d62e747cc9","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"9c90478b-ef8d-4f0a-89ea-7cac2fb2b631:indexpattern-datasource-layer-b9d91550-4d81-4724-926b-368cbac70c5c","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"ec92f542-1336-4a92-90e6-548fa7a78db6:indexpattern-datasource-layer-45315f08-c693-4bdc-aa72-8546f280b2b2","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"cac9a63e-4892-4879-bd94-210fd3b5b3d0:indexpattern-datasource-layer-c51272e9-4ceb-4095-a2a2-7d27d957fc4e","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:35:50.548Z","version":"WzM5MywxXQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"syncCursor\":true,\"syncTooltips\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":0,\"w\":31,\"h\":15,\"i\":\"5177564c-7c79-4412-9c03-99dca92b90d5\"},\"panelIndex\":\"5177564c-7c79-4412-9c03-99dca92b90d5\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-bca83102-e00c-4277-b280-a91ef087536e\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"left\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"curveType\":\"CURVE_MONOTONE_X\",\"fillOpacity\":1,\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"area_stacked\",\"layers\":[{\"layerId\":\"bca83102-e00c-4277-b280-a91ef087536e\",\"accessors\":[\"80ac5cd7-4cfb-4c07-ad75-3cedb6212f18\"],\"position\":\"top\",\"seriesType\":\"area_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"4d2f8c1f-5ce3-449b-b0d7-f1d1989ba49e\",\"splitAccessor\":\"0e534aac-0aaf-4458-8d88-e2575fb2ebb9\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"bca83102-e00c-4277-b280-a91ef087536e\":{\"columns\":{\"0e534aac-0aaf-4458-8d88-e2575fb2ebb9\":{\"label\":\"Top 3 values of data.aws.source\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.aws.source\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"80ac5cd7-4cfb-4c07-ad75-3cedb6212f18\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]}},\"4d2f8c1f-5ce3-449b-b0d7-f1d1989ba49e\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"80ac5cd7-4cfb-4c07-ad75-3cedb6212f18\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"filter\":{\"query\":\"rule.groups : \\\"amazon\\\" \",\"language\":\"kuery\"},\"params\":{\"emptyAsNull\":true},\"customLabel\":true}},\"columnOrder\":[\"0e534aac-0aaf-4458-8d88-e2575fb2ebb9\",\"4d2f8c1f-5ce3-449b-b0d7-f1d1989ba49e\",\"80ac5cd7-4cfb-4c07-ad75-3cedb6212f18\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Events by source over time\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":31,\"y\":0,\"w\":17,\"h\":15,\"i\":\"692e518d-0688-414b-92e8-6b2bf1b960dd\"},\"panelIndex\":\"692e518d-0688-414b-92e8-6b2bf1b960dd\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-ecb05aff-bc9d-4ba1-b817-bf4016e0c5ef\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"ecb05aff-bc9d-4ba1-b817-bf4016e0c5ef\",\"primaryGroups\":[\"e81edf81-ce10-496b-8ca9-eb38d5ff2ccb\"],\"metrics\":[\"4a2c1031-e343-427d-b141-b47ccc7a570a\"],\"numberDisplay\":\"hidden\",\"categoryDisplay\":\"hide\",\"legendDisplay\":\"show\",\"nestedLegend\":false,\"layerType\":\"data\",\"emptySizeRatio\":0.7}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"ecb05aff-bc9d-4ba1-b817-bf4016e0c5ef\":{\"columns\":{\"e81edf81-ce10-496b-8ca9-eb38d5ff2ccb\":{\"label\":\"Top 5 values of data.aws.source\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.aws.source\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"4a2c1031-e343-427d-b141-b47ccc7a570a\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false,\"secondaryFields\":[]}},\"4a2c1031-e343-427d-b141-b47ccc7a570a\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}}},\"columnOrder\":[\"e81edf81-ce10-496b-8ca9-eb38d5ff2ccb\",\"4a2c1031-e343-427d-b141-b47ccc7a570a\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Sources\"},{\"version\":\"8.6.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":15,\"w\":48,\"h\":15,\"i\":\"25e0d536-4163-46e6-abd5-5cd45cd9f30a\"},\"panelIndex\":\"25e0d536-4163-46e6-abd5-5cd45cd9f30a\",\"embeddableConfig\":{\"attributes\":{\"title\":\"e\",\"description\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"f410770f-a2da-47db-8a47-20b2ddbdcf5e\",\"name\":\"indexpattern-datasource-layer-c23cdcb3-1e5c-46f0-9ef2-827d9b867cb2\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"columns\":[{\"isTransposed\":false,\"columnId\":\"8882fc10-f772-4a02-af1f-049b59a04dfd\",\"oneClickFilter\":true},{\"isTransposed\":false,\"columnId\":\"1835ff08-affb-403c-991e-8e642c7a5456\"},{\"isTransposed\":false,\"columnId\":\"6dce6ade-b342-4645-9ff2-228f319d69f7\"},{\"isTransposed\":false,\"columnId\":\"f8266242-342d-4046-8bb5-90efe4839a60\",\"hidden\":true},{\"columnId\":\"06b78908-beb7-4a01-a9b0-b7f9775318d9\",\"isTransposed\":false},{\"columnId\":\"ea992e31-8ea1-4548-8182-da51c911cf21\",\"isTransposed\":false},{\"columnId\":\"a8c6efd9-93b3-4636-96ea-43b359962134\",\"isTransposed\":false,\"oneClickFilter\":true}],\"layerId\":\"c23cdcb3-1e5c-46f0-9ef2-827d9b867cb2\",\"layerType\":\"data\",\"headerRowHeight\":\"custom\",\"headerRowHeightLines\":2,\"rowHeight\":\"custom\",\"rowHeightLines\":2,\"paging\":{\"size\":10,\"enabled\":true}},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"formBased\":{\"layers\":{\"c23cdcb3-1e5c-46f0-9ef2-827d9b867cb2\":{\"columns\":{\"8882fc10-f772-4a02-af1f-049b59a04dfd\":{\"label\":\"agent.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"agent.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f8266242-342d-4046-8bb5-90efe4839a60\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"1835ff08-affb-403c-991e-8e642c7a5456\":{\"label\":\"data.aws.source\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"data.aws.source\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f8266242-342d-4046-8bb5-90efe4839a60\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"6dce6ade-b342-4645-9ff2-228f319d69f7\":{\"label\":\"timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\",\"includeEmptyRows\":true,\"dropPartials\":false}},\"f8266242-342d-4046-8bb5-90efe4839a60\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"___records___\",\"params\":{\"emptyAsNull\":true}},\"06b78908-beb7-4a01-a9b0-b7f9775318d9\":{\"label\":\"rule.description\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.description\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f8266242-342d-4046-8bb5-90efe4839a60\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true},\"ea992e31-8ea1-4548-8182-da51c911cf21\":{\"label\":\"rule.level\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"rule.level\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"includeEmptyRows\":true,\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"}},\"a8c6efd9-93b3-4636-96ea-43b359962134\":{\"label\":\"rule.id\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"rule.id\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f8266242-342d-4046-8bb5-90efe4839a60\"},\"orderDirection\":\"desc\",\"otherBucket\":false,\"missingBucket\":false,\"parentFormat\":{\"id\":\"terms\"},\"include\":[],\"exclude\":[],\"includeIsRegex\":false,\"excludeIsRegex\":false},\"customLabel\":true}},\"columnOrder\":[\"6dce6ade-b342-4645-9ff2-228f319d69f7\",\"8882fc10-f772-4a02-af1f-049b59a04dfd\",\"1835ff08-affb-403c-991e-8e642c7a5456\",\"06b78908-beb7-4a01-a9b0-b7f9775318d9\",\"ea992e31-8ea1-4548-8182-da51c911cf21\",\"a8c6efd9-93b3-4636-96ea-43b359962134\",\"f8266242-342d-4046-8bb5-90efe4839a60\"],\"incompleteColumns\":{},\"sampling\":1}}},\"textBased\":{\"layers\":{}}},\"internalReferences\":[],\"adHocDataViews\":{}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Events\"}]","timeRestore":false,"title":"wazuh-amazon-aws-v1.0","version":1},"coreMigrationVersion":"8.6.2","created_at":"2023-04-24T18:35:30.916Z","id":"ff5626e0-a63f-11ed-8b0e-91d62e747cc9","migrationVersion":{"dashboard":"8.6.0"},"references":[{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"5177564c-7c79-4412-9c03-99dca92b90d5:indexpattern-datasource-layer-bca83102-e00c-4277-b280-a91ef087536e","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"692e518d-0688-414b-92e8-6b2bf1b960dd:indexpattern-datasource-layer-ecb05aff-bc9d-4ba1-b817-bf4016e0c5ef","type":"index-pattern"},{"id":"f410770f-a2da-47db-8a47-20b2ddbdcf5e","name":"25e0d536-4163-46e6-abd5-5cd45cd9f30a:indexpattern-datasource-layer-c23cdcb3-1e5c-46f0-9ef2-827d9b867cb2","type":"index-pattern"}],"type":"dashboard","updated_at":"2023-04-24T18:35:30.916Z","version":"WzM1OCwxXQ=="} -{"excludedObjects":[],"excludedObjectsCount":0,"exportedCount":8,"missingRefCount":0,"missingReferences":[]} \ No newline at end of file diff --git a/integrations/elastic/logstash/pipeline/es_template.json b/integrations/elastic/logstash/pipeline/es_template.json deleted file mode 100644 index 050034e58ccd2..0000000000000 --- a/integrations/elastic/logstash/pipeline/es_template.json +++ /dev/null @@ -1,2042 +0,0 @@ -{ - "index_patterns": [ - "wazuh-alerts-4.x-*", - "wazuh-archives-4.x-*" - ], - "template": { - "settings": { - "index": { - "routing": { - "allocation": { - "include": { - "_tier_preference": "data_content" - } - } - }, - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "refresh_interval": "5s", - "number_of_shards": "3", - "auto_expand_replicas": "0-1", - "query": { - "default_field": [ - "GeoLocation.city_name", - "GeoLocation.continent_code", - "GeoLocation.country_code2", - "GeoLocation.country_code3", - "GeoLocation.country_name", - "GeoLocation.ip", - "GeoLocation.postal_code", - "GeoLocation.real_region_name", - "GeoLocation.region_name", - "GeoLocation.timezone", - "agent.id", - "agent.ip", - "agent.name", - "cluster.name", - "cluster.node", - "command", - "data", - "data.action", - "data.audit", - "data.audit.acct", - "data.audit.arch", - "data.audit.auid", - "data.audit.command", - "data.audit.cwd", - "data.audit.dev", - "data.audit.directory.inode", - "data.audit.directory.mode", - "data.audit.directory.name", - "data.audit.egid", - "data.audit.enforcing", - "data.audit.euid", - "data.audit.exe", - "data.audit.execve.a0", - "data.audit.execve.a1", - "data.audit.execve.a2", - "data.audit.execve.a3", - "data.audit.exit", - "data.audit.file.inode", - "data.audit.file.mode", - "data.audit.file.name", - "data.audit.fsgid", - "data.audit.fsuid", - "data.audit.gid", - "data.audit.id", - "data.audit.key", - "data.audit.list", - "data.audit.old-auid", - "data.audit.old-ses", - "data.audit.old_enforcing", - "data.audit.old_prom", - "data.audit.op", - "data.audit.pid", - "data.audit.ppid", - "data.audit.prom", - "data.audit.res", - "data.audit.session", - "data.audit.sgid", - "data.audit.srcip", - "data.audit.subj", - "data.audit.success", - "data.audit.suid", - "data.audit.syscall", - "data.audit.tty", - "data.audit.uid", - "data.aws.accountId", - "data.aws.account_id", - "data.aws.action", - "data.aws.actor", - "data.aws.aws_account_id", - "data.aws.description", - "data.aws.dstport", - "data.aws.errorCode", - "data.aws.errorMessage", - "data.aws.eventID", - "data.aws.eventName", - "data.aws.eventSource", - "data.aws.eventType", - "data.aws.id", - "data.aws.name", - "data.aws.requestParameters.accessKeyId", - "data.aws.requestParameters.bucketName", - "data.aws.requestParameters.gatewayId", - "data.aws.requestParameters.groupDescription", - "data.aws.requestParameters.groupId", - "data.aws.requestParameters.groupName", - "data.aws.requestParameters.host", - "data.aws.requestParameters.hostedZoneId", - "data.aws.requestParameters.instanceId", - "data.aws.requestParameters.instanceProfileName", - "data.aws.requestParameters.loadBalancerName", - "data.aws.requestParameters.loadBalancerPorts", - "data.aws.requestParameters.masterUserPassword", - "data.aws.requestParameters.masterUsername", - "data.aws.requestParameters.name", - "data.aws.requestParameters.natGatewayId", - "data.aws.requestParameters.networkAclId", - "data.aws.requestParameters.path", - "data.aws.requestParameters.policyName", - "data.aws.requestParameters.port", - "data.aws.requestParameters.stackId", - "data.aws.requestParameters.stackName", - "data.aws.requestParameters.subnetId", - "data.aws.requestParameters.subnetIds", - "data.aws.requestParameters.volumeId", - "data.aws.requestParameters.vpcId", - "data.aws.resource.accessKeyDetails.accessKeyId", - "data.aws.resource.accessKeyDetails.principalId", - "data.aws.resource.accessKeyDetails.userName", - "data.aws.resource.instanceDetails.instanceId", - "data.aws.resource.instanceDetails.instanceState", - "data.aws.resource.instanceDetails.networkInterfaces.privateDnsName", - "data.aws.resource.instanceDetails.networkInterfaces.publicDnsName", - "data.aws.resource.instanceDetails.networkInterfaces.subnetId", - "data.aws.resource.instanceDetails.networkInterfaces.vpcId", - "data.aws.resource.instanceDetails.tags.value", - "data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId", - "data.aws.responseElements.description", - "data.aws.responseElements.instanceId", - "data.aws.responseElements.instances.instanceId", - "data.aws.responseElements.instancesSet.items.instanceId", - "data.aws.responseElements.listeners.port", - "data.aws.responseElements.loadBalancerName", - "data.aws.responseElements.loadBalancers.vpcId", - "data.aws.responseElements.loginProfile.userName", - "data.aws.responseElements.networkAcl.vpcId", - "data.aws.responseElements.ownerId", - "data.aws.responseElements.publicIp", - "data.aws.responseElements.user.userId", - "data.aws.responseElements.user.userName", - "data.aws.responseElements.volumeId", - "data.aws.service.serviceName", - "data.aws.severity", - "data.aws.source", - "data.aws.sourceIPAddress", - "data.aws.srcport", - "data.aws.userIdentity.accessKeyId", - "data.aws.userIdentity.accountId", - "data.aws.userIdentity.userName", - "data.aws.vpcEndpointId", - "data.command", - "data.data", - "data.docker.Actor.Attributes.container", - "data.docker.Actor.Attributes.image", - "data.docker.Actor.Attributes.name", - "data.docker.Actor.ID", - "data.docker.id", - "data.docker.message", - "data.docker.status", - "data.dstip", - "data.dstport", - "data.dstuser", - "data.extra_data", - "data.hardware.serial", - "data.id", - "data.integration", - "data.netinfo.iface.adapter", - "data.netinfo.iface.ipv4.address", - "data.netinfo.iface.ipv6.address", - "data.netinfo.iface.mac", - "data.netinfo.iface.name", - "data.os.architecture", - "data.os.build", - "data.os.codename", - "data.os.hostname", - "data.os.major", - "data.os.minor", - "data.os.name", - "data.os.platform", - "data.os.release", - "data.os.release_version", - "data.os.sysname", - "data.os.version", - "data.oscap.check.description", - "data.oscap.check.id", - "data.oscap.check.identifiers", - "data.oscap.check.oval.id", - "data.oscap.check.rationale", - "data.oscap.check.references", - "data.oscap.check.result", - "data.oscap.check.severity", - "data.oscap.check.title", - "data.oscap.scan.benchmark.id", - "data.oscap.scan.content", - "data.oscap.scan.id", - "data.oscap.scan.profile.id", - "data.oscap.scan.profile.title", - "data.osquery.columns.address", - "data.osquery.columns.command", - "data.osquery.columns.description", - "data.osquery.columns.dst_ip", - "data.osquery.columns.gid", - "data.osquery.columns.hostname", - "data.osquery.columns.md5", - "data.osquery.columns.path", - "data.osquery.columns.sha1", - "data.osquery.columns.sha256", - "data.osquery.columns.src_ip", - "data.osquery.columns.user", - "data.osquery.columns.username", - "data.osquery.name", - "data.osquery.pack", - "data.port.process", - "data.port.protocol", - "data.port.state", - "data.process.args", - "data.process.cmd", - "data.process.egroup", - "data.process.euser", - "data.process.fgroup", - "data.process.name", - "data.process.rgroup", - "data.process.ruser", - "data.process.sgroup", - "data.process.state", - "data.process.suser", - "data.program.architecture", - "data.program.description", - "data.program.format", - "data.program.location", - "data.program.multiarch", - "data.program.name", - "data.program.priority", - "data.program.section", - "data.program.source", - "data.program.vendor", - "data.program.version", - "data.protocol", - "data.pwd", - "data.sca", - "data.sca.check.compliance.cis", - "data.sca.check.compliance.cis_csc", - "data.sca.check.compliance.pci_dss", - "data.sca.check.compliance.hipaa", - "data.sca.check.compliance.nist_800_53", - "data.sca.check.description", - "data.sca.check.directory", - "data.sca.check.file", - "data.sca.check.id", - "data.sca.check.previous_result", - "data.sca.check.process", - "data.sca.check.rationale", - "data.sca.check.reason", - "data.sca.check.references", - "data.sca.check.registry", - "data.sca.check.remediation", - "data.sca.check.result", - "data.sca.check.status", - "data.sca.check.title", - "data.sca.description", - "data.sca.file", - "data.sca.invalid", - "data.sca.name", - "data.sca.policy", - "data.sca.policy_id", - "data.sca.scan_id", - "data.sca.total_checks", - "data.script", - "data.src_ip", - "data.src_port", - "data.srcip", - "data.srcport", - "data.srcuser", - "data.status", - "data.system_name", - "data.title", - "data.tty", - "data.uid", - "data.url", - "data.virustotal.description", - "data.virustotal.error", - "data.virustotal.found", - "data.virustotal.permalink", - "data.virustotal.scan_date", - "data.virustotal.sha1", - "data.virustotal.source.alert_id", - "data.virustotal.source.file", - "data.virustotal.source.md5", - "data.virustotal.source.sha1", - "data.vulnerability.cve", - "data.vulnerability.cvss.cvss2.base_score", - "data.vulnerability.cvss.cvss2.exploitability_score", - "data.vulnerability.cvss.cvss2.impact_score", - "data.vulnerability.cvss.cvss2.vector.access_complexity", - "data.vulnerability.cvss.cvss2.vector.attack_vector", - "data.vulnerability.cvss.cvss2.vector.authentication", - "data.vulnerability.cvss.cvss2.vector.availability", - "data.vulnerability.cvss.cvss2.vector.confidentiality_impact", - "data.vulnerability.cvss.cvss2.vector.integrity_impact", - "data.vulnerability.cvss.cvss2.vector.privileges_required", - "data.vulnerability.cvss.cvss2.vector.scope", - "data.vulnerability.cvss.cvss2.vector.user_interaction", - "data.vulnerability.cvss.cvss3.base_score", - "data.vulnerability.cvss.cvss3.exploitability_score", - "data.vulnerability.cvss.cvss3.impact_score", - "data.vulnerability.cvss.cvss3.vector.access_complexity", - "data.vulnerability.cvss.cvss3.vector.attack_vector", - "data.vulnerability.cvss.cvss3.vector.authentication", - "data.vulnerability.cvss.cvss3.vector.availability", - "data.vulnerability.cvss.cvss3.vector.confidentiality_impact", - "data.vulnerability.cvss.cvss3.vector.integrity_impact", - "data.vulnerability.cvss.cvss3.vector.privileges_required", - "data.vulnerability.cvss.cvss3.vector.scope", - "data.vulnerability.cvss.cvss3.vector.user_interaction", - "data.vulnerability.cwe_reference", - "data.vulnerability.package.source", - "data.vulnerability.package.architecture", - "data.vulnerability.package.condition", - "data.vulnerability.package.generated_cpe", - "data.vulnerability.package.name", - "data.vulnerability.package.version", - "data.vulnerability.rationale", - "data.vulnerability.severity", - "data.vulnerability.title", - "data.vulnerability.assigner", - "data.vulnerability.cve_version", - "data.win.eventdata.auditPolicyChanges", - "data.win.eventdata.auditPolicyChangesId", - "data.win.eventdata.binary", - "data.win.eventdata.category", - "data.win.eventdata.categoryId", - "data.win.eventdata.data", - "data.win.eventdata.image", - "data.win.eventdata.ipAddress", - "data.win.eventdata.ipPort", - "data.win.eventdata.keyName", - "data.win.eventdata.logonGuid", - "data.win.eventdata.logonProcessName", - "data.win.eventdata.operation", - "data.win.eventdata.parentImage", - "data.win.eventdata.processId", - "data.win.eventdata.processName", - "data.win.eventdata.providerName", - "data.win.eventdata.returnCode", - "data.win.eventdata.service", - "data.win.eventdata.status", - "data.win.eventdata.subcategory", - "data.win.eventdata.subcategoryGuid", - "data.win.eventdata.subcategoryId", - "data.win.eventdata.subjectDomainName", - "data.win.eventdata.subjectLogonId", - "data.win.eventdata.subjectUserName", - "data.win.eventdata.subjectUserSid", - "data.win.eventdata.targetDomainName", - "data.win.eventdata.targetLinkedLogonId", - "data.win.eventdata.targetLogonId", - "data.win.eventdata.targetUserName", - "data.win.eventdata.targetUserSid", - "data.win.eventdata.workstationName", - "data.win.system.channel", - "data.win.system.computer", - "data.win.system.eventID", - "data.win.system.eventRecordID", - "data.win.system.eventSourceName", - "data.win.system.keywords", - "data.win.system.level", - "data.win.system.message", - "data.win.system.opcode", - "data.win.system.processID", - "data.win.system.providerGuid", - "data.win.system.providerName", - "data.win.system.securityUserID", - "data.win.system.severityValue", - "data.win.system.userID", - "decoder.ftscomment", - "decoder.name", - "decoder.parent", - "full_log", - "host", - "id", - "input", - "location", - "manager.name", - "message", - "offset", - "predecoder.hostname", - "predecoder.program_name", - "previous_log", - "previous_output", - "program_name", - "rule.cis", - "rule.cve", - "rule.description", - "rule.gdpr", - "rule.gpg13", - "rule.groups", - "rule.id", - "rule.info", - "rule.mitre.id", - "rule.mitre.tactic", - "rule.mitre.technique", - "rule.pci_dss", - "rule.hipaa", - "rule.nist_800_53", - "syscheck.audit.effective_user.id", - "syscheck.audit.effective_user.name", - "syscheck.audit.group.id", - "syscheck.audit.group.name", - "syscheck.audit.login_user.id", - "syscheck.audit.login_user.name", - "syscheck.audit.process.id", - "syscheck.audit.process.name", - "syscheck.audit.process.ppid", - "syscheck.audit.user.id", - "syscheck.audit.user.name", - "syscheck.diff", - "syscheck.event", - "syscheck.gid_after", - "syscheck.gid_before", - "syscheck.gname_after", - "syscheck.gname_before", - "syscheck.inode_after", - "syscheck.inode_before", - "syscheck.md5_after", - "syscheck.md5_before", - "syscheck.path", - "syscheck.mode", - "syscheck.perm_after", - "syscheck.perm_before", - "syscheck.sha1_after", - "syscheck.sha1_before", - "syscheck.sha256_after", - "syscheck.sha256_before", - "syscheck.tags", - "syscheck.uid_after", - "syscheck.uid_before", - "syscheck.uname_after", - "syscheck.uname_before", - "title", - "type" - ] - }, - "number_of_replicas": "0" - } - }, - "mappings": { - "dynamic_templates": [ - { - "string_as_keyword": { - "match_mapping_type": "string", - "mapping": { - "type": "keyword" - } - } - } - ], - "date_detection": false, - "properties": { - "@timestamp": { - "type": "date" - }, - "@version": { - "type": "text" - }, - "GeoLocation": { - "properties": { - "area_code": { - "type": "long" - }, - "city_name": { - "type": "keyword" - }, - "continent_code": { - "type": "text" - }, - "coordinates": { - "type": "double" - }, - "country_code2": { - "type": "text" - }, - "country_code3": { - "type": "text" - }, - "country_name": { - "type": "keyword" - }, - "dma_code": { - "type": "long" - }, - "ip": { - "type": "keyword" - }, - "latitude": { - "type": "double" - }, - "location": { - "type": "geo_point" - }, - "longitude": { - "type": "double" - }, - "postal_code": { - "type": "keyword" - }, - "real_region_name": { - "type": "keyword" - }, - "region_name": { - "type": "keyword" - }, - "timezone": { - "type": "text" - } - } - }, - "agent": { - "properties": { - "id": { - "type": "keyword" - }, - "ip": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "cluster": { - "properties": { - "name": { - "type": "keyword" - }, - "node": { - "type": "keyword" - } - } - }, - "command": { - "type": "keyword" - }, - "data": { - "properties": { - "action": { - "type": "keyword" - }, - "audit": { - "properties": { - "acct": { - "type": "keyword" - }, - "arch": { - "type": "keyword" - }, - "auid": { - "type": "keyword" - }, - "command": { - "type": "keyword" - }, - "cwd": { - "type": "keyword" - }, - "dev": { - "type": "keyword" - }, - "directory": { - "properties": { - "inode": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "egid": { - "type": "keyword" - }, - "enforcing": { - "type": "keyword" - }, - "euid": { - "type": "keyword" - }, - "exe": { - "type": "keyword" - }, - "execve": { - "properties": { - "a0": { - "type": "keyword" - }, - "a1": { - "type": "keyword" - }, - "a2": { - "type": "keyword" - }, - "a3": { - "type": "keyword" - } - } - }, - "exit": { - "type": "keyword" - }, - "file": { - "properties": { - "inode": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "fsgid": { - "type": "keyword" - }, - "fsuid": { - "type": "keyword" - }, - "gid": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "key": { - "type": "keyword" - }, - "list": { - "type": "keyword" - }, - "old-auid": { - "type": "keyword" - }, - "old-ses": { - "type": "keyword" - }, - "old_enforcing": { - "type": "keyword" - }, - "old_prom": { - "type": "keyword" - }, - "op": { - "type": "keyword" - }, - "pid": { - "type": "keyword" - }, - "ppid": { - "type": "keyword" - }, - "prom": { - "type": "keyword" - }, - "res": { - "type": "keyword" - }, - "session": { - "type": "keyword" - }, - "sgid": { - "type": "keyword" - }, - "srcip": { - "type": "keyword" - }, - "subj": { - "type": "keyword" - }, - "success": { - "type": "keyword" - }, - "suid": { - "type": "keyword" - }, - "syscall": { - "type": "keyword" - }, - "tty": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "uid": { - "type": "keyword" - } - } - }, - "aws": { - "properties": { - "accountId": { - "type": "keyword" - }, - "bytes": { - "type": "long" - }, - "createdAt": { - "type": "date" - }, - "dstaddr": { - "type": "ip" - }, - "end": { - "type": "date" - }, - "log_info": { - "properties": { - "s3bucket": { - "type": "keyword" - } - } - }, - "region": { - "type": "keyword" - }, - "resource": { - "properties": { - "instanceDetails": { - "properties": { - "launchTime": { - "type": "date" - }, - "networkInterfaces": { - "properties": { - "privateIpAddress": { - "type": "ip" - }, - "publicIp": { - "type": "ip" - } - } - } - } - } - } - }, - "service": { - "properties": { - "action": { - "properties": { - "networkConnectionAction": { - "properties": { - "remoteIpDetails": { - "properties": { - "geoLocation": { - "type": "geo_point" - }, - "ipAddressV4": { - "type": "ip" - } - } - } - } - } - } - }, - "count": { - "type": "long" - }, - "eventFirstSeen": { - "type": "date" - }, - "eventLastSeen": { - "type": "date" - } - } - }, - "source": { - "type": "keyword" - }, - "source_ip_address": { - "type": "ip" - }, - "srcaddr": { - "type": "ip" - }, - "start": { - "type": "date" - }, - "updatedAt": { - "type": "date" - } - } - }, - "cis": { - "properties": { - "benchmark": { - "type": "keyword" - }, - "error": { - "type": "long" - }, - "fail": { - "type": "long" - }, - "group": { - "type": "keyword" - }, - "notchecked": { - "type": "long" - }, - "pass": { - "type": "long" - }, - "result": { - "type": "keyword" - }, - "rule_title": { - "type": "keyword" - }, - "score": { - "type": "long" - }, - "timestamp": { - "type": "keyword" - }, - "unknown": { - "type": "long" - } - } - }, - "command": { - "type": "keyword" - }, - "data": { - "type": "keyword" - }, - "docker": { - "properties": { - "Action": { - "type": "keyword" - }, - "Actor": { - "properties": { - "Attributes": { - "properties": { - "image": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - } - } - }, - "Type": { - "type": "keyword" - } - } - }, - "dstip": { - "type": "keyword" - }, - "dstport": { - "type": "keyword" - }, - "dstuser": { - "type": "keyword" - }, - "extra_data": { - "type": "keyword" - }, - "gcp": { - "properties": { - "jsonPayload": { - "properties": { - "authAnswer": { - "type": "keyword" - }, - "queryName": { - "type": "keyword" - }, - "responseCode": { - "type": "keyword" - }, - "vmInstanceId": { - "type": "keyword" - }, - "vmInstanceName": { - "type": "keyword" - } - } - }, - "resource": { - "properties": { - "labels": { - "properties": { - "location": { - "type": "keyword" - }, - "project_id": { - "type": "keyword" - }, - "source_type": { - "type": "keyword" - } - } - }, - "type": { - "type": "keyword" - } - } - }, - "severity": { - "type": "keyword" - } - } - }, - "github": { - "properties": { - "action": { - "type": "keyword" - }, - "actor": { - "type": "keyword" - }, - "actor_location": { - "properties": { - "country_code": { - "type": "keyword" - } - } - }, - "org": { - "type": "keyword" - }, - "repo": { - "type": "keyword" - } - } - }, - "hardware": { - "properties": { - "cpu_cores": { - "type": "long" - }, - "cpu_mhz": { - "type": "double" - }, - "cpu_name": { - "type": "keyword" - }, - "ram_free": { - "type": "long" - }, - "ram_total": { - "type": "long" - }, - "ram_usage": { - "type": "long" - }, - "serial": { - "type": "keyword" - } - } - }, - "id": { - "type": "keyword" - }, - "integration": { - "type": "keyword" - }, - "netinfo": { - "properties": { - "iface": { - "properties": { - "adapter": { - "type": "keyword" - }, - "ipv4": { - "properties": { - "address": { - "type": "keyword" - }, - "broadcast": { - "type": "keyword" - }, - "dhcp": { - "type": "keyword" - }, - "gateway": { - "type": "keyword" - }, - "metric": { - "type": "long" - }, - "netmask": { - "type": "keyword" - } - } - }, - "ipv6": { - "properties": { - "address": { - "type": "keyword" - }, - "broadcast": { - "type": "keyword" - }, - "dhcp": { - "type": "keyword" - }, - "gateway": { - "type": "keyword" - }, - "metric": { - "type": "long" - }, - "netmask": { - "type": "keyword" - } - } - }, - "mac": { - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "type": "keyword" - }, - "rx_bytes": { - "type": "long" - }, - "rx_dropped": { - "type": "long" - }, - "rx_errors": { - "type": "long" - }, - "rx_packets": { - "type": "long" - }, - "state": { - "type": "keyword" - }, - "tx_bytes": { - "type": "long" - }, - "tx_dropped": { - "type": "long" - }, - "tx_errors": { - "type": "long" - }, - "tx_packets": { - "type": "long" - }, - "type": { - "type": "keyword" - } - } - } - } - }, - "office365": { - "properties": { - "Actor": { - "properties": { - "ID": { - "type": "keyword" - } - } - }, - "ClientIP": { - "type": "keyword" - }, - "Operation": { - "type": "keyword" - }, - "ResultStatus": { - "type": "keyword" - }, - "Subscription": { - "type": "keyword" - }, - "UserId": { - "type": "keyword" - } - } - }, - "os": { - "properties": { - "architecture": { - "type": "keyword" - }, - "build": { - "type": "keyword" - }, - "codename": { - "type": "keyword" - }, - "display_version": { - "type": "keyword" - }, - "hostname": { - "type": "keyword" - }, - "major": { - "type": "keyword" - }, - "minor": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "patch": { - "type": "keyword" - }, - "platform": { - "type": "keyword" - }, - "release": { - "type": "keyword" - }, - "release_version": { - "type": "keyword" - }, - "sysname": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "oscap": { - "properties": { - "check": { - "properties": { - "description": { - "type": "text" - }, - "id": { - "type": "keyword" - }, - "identifiers": { - "type": "text" - }, - "oval": { - "properties": { - "id": { - "type": "keyword" - } - } - }, - "rationale": { - "type": "text" - }, - "references": { - "type": "text" - }, - "result": { - "type": "keyword" - }, - "severity": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "scan": { - "properties": { - "benchmark": { - "properties": { - "id": { - "type": "keyword" - } - } - }, - "content": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "profile": { - "properties": { - "id": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "return_code": { - "type": "long" - }, - "score": { - "type": "double" - } - } - } - } - }, - "osquery": { - "properties": { - "action": { - "type": "keyword" - }, - "calendarTime": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "pack": { - "type": "keyword" - } - } - }, - "port": { - "properties": { - "inode": { - "type": "long" - }, - "local_ip": { - "type": "ip" - }, - "local_port": { - "type": "long" - }, - "pid": { - "type": "long" - }, - "process": { - "type": "keyword" - }, - "protocol": { - "type": "keyword" - }, - "remote_ip": { - "type": "ip" - }, - "remote_port": { - "type": "long" - }, - "rx_queue": { - "type": "long" - }, - "state": { - "type": "keyword" - }, - "tx_queue": { - "type": "long" - } - } - }, - "process": { - "properties": { - "args": { - "type": "keyword" - }, - "cmd": { - "type": "keyword" - }, - "egroup": { - "type": "keyword" - }, - "euser": { - "type": "keyword" - }, - "fgroup": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "nice": { - "type": "long" - }, - "nlwp": { - "type": "long" - }, - "pgrp": { - "type": "long" - }, - "pid": { - "type": "long" - }, - "ppid": { - "type": "long" - }, - "priority": { - "type": "long" - }, - "processor": { - "type": "long" - }, - "resident": { - "type": "long" - }, - "rgroup": { - "type": "keyword" - }, - "ruser": { - "type": "keyword" - }, - "session": { - "type": "long" - }, - "sgroup": { - "type": "keyword" - }, - "share": { - "type": "long" - }, - "size": { - "type": "long" - }, - "start_time": { - "type": "long" - }, - "state": { - "type": "keyword" - }, - "stime": { - "type": "long" - }, - "suser": { - "type": "keyword" - }, - "tgid": { - "type": "long" - }, - "tty": { - "type": "long" - }, - "utime": { - "type": "long" - }, - "vm_size": { - "type": "long" - } - } - }, - "program": { - "properties": { - "architecture": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "format": { - "type": "keyword" - }, - "install_time": { - "type": "keyword" - }, - "location": { - "type": "keyword" - }, - "multiarch": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "priority": { - "type": "keyword" - }, - "section": { - "type": "keyword" - }, - "size": { - "type": "long" - }, - "source": { - "type": "keyword" - }, - "vendor": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "protocol": { - "type": "keyword" - }, - "sca": { - "properties": { - "check": { - "properties": { - "compliance": { - "properties": { - "cis": { - "type": "keyword" - }, - "cis_csc": { - "type": "keyword" - }, - "hipaa": { - "type": "keyword" - }, - "nist_800_53": { - "type": "keyword" - }, - "pci_dss": { - "type": "keyword" - } - } - }, - "description": { - "type": "keyword" - }, - "directory": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "previous_result": { - "type": "keyword" - }, - "process": { - "type": "keyword" - }, - "rationale": { - "type": "keyword" - }, - "reason": { - "type": "keyword" - }, - "references": { - "type": "keyword" - }, - "registry": { - "type": "keyword" - }, - "remediation": { - "type": "keyword" - }, - "result": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "description": { - "type": "keyword" - }, - "failed": { - "type": "integer" - }, - "file": { - "type": "keyword" - }, - "invalid": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "passed": { - "type": "integer" - }, - "policy": { - "type": "keyword" - }, - "policy_id": { - "type": "keyword" - }, - "scan_id": { - "type": "keyword" - }, - "score": { - "type": "long" - }, - "total_checks": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - } - }, - "srcip": { - "type": "keyword" - }, - "srcport": { - "type": "keyword" - }, - "srcuser": { - "type": "keyword" - }, - "status": { - "type": "keyword" - }, - "system_name": { - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "title": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "uid": { - "type": "keyword" - }, - "url": { - "type": "keyword" - }, - "virustotal": { - "properties": { - "description": { - "type": "keyword" - }, - "error": { - "type": "keyword" - }, - "found": { - "type": "keyword" - }, - "malicious": { - "type": "keyword" - }, - "permalink": { - "type": "keyword" - }, - "positives": { - "type": "keyword" - }, - "scan_date": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - }, - "source": { - "properties": { - "alert_id": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "md5": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - } - } - }, - "total": { - "type": "keyword" - } - } - }, - "vulnerability": { - "properties": { - "assigner": { - "type": "keyword" - }, - "cve": { - "type": "keyword" - }, - "cve_version": { - "type": "keyword" - }, - "cvss": { - "properties": { - "cvss2": { - "properties": { - "base_score": { - "type": "keyword" - }, - "exploitability_score": { - "type": "keyword" - }, - "impact_score": { - "type": "keyword" - }, - "vector": { - "properties": { - "access_complexity": { - "type": "keyword" - }, - "attack_vector": { - "type": "keyword" - }, - "authentication": { - "type": "keyword" - }, - "availability": { - "type": "keyword" - }, - "confidentiality_impact": { - "type": "keyword" - }, - "integrity_impact": { - "type": "keyword" - }, - "privileges_required": { - "type": "keyword" - }, - "scope": { - "type": "keyword" - }, - "user_interaction": { - "type": "keyword" - } - } - } - } - }, - "cvss3": { - "properties": { - "base_score": { - "type": "keyword" - }, - "exploitability_score": { - "type": "keyword" - }, - "impact_score": { - "type": "keyword" - }, - "vector": { - "properties": { - "access_complexity": { - "type": "keyword" - }, - "attack_vector": { - "type": "keyword" - }, - "authentication": { - "type": "keyword" - }, - "availability": { - "type": "keyword" - }, - "confidentiality_impact": { - "type": "keyword" - }, - "integrity_impact": { - "type": "keyword" - }, - "privileges_required": { - "type": "keyword" - }, - "scope": { - "type": "keyword" - }, - "user_interaction": { - "type": "keyword" - } - } - } - } - } - } - }, - "cwe_reference": { - "type": "keyword" - }, - "package": { - "properties": { - "architecture": { - "type": "keyword" - }, - "condition": { - "type": "keyword" - }, - "generated_cpe": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "source": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "published": { - "type": "date" - }, - "rationale": { - "type": "keyword" - }, - "severity": { - "type": "keyword" - }, - "title": { - "type": "keyword" - }, - "updated": { - "type": "date" - } - } - } - } - }, - "decoder": { - "properties": { - "accumulate": { - "type": "long" - }, - "fts": { - "type": "long" - }, - "ftscomment": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "parent": { - "type": "keyword" - } - } - }, - "full_log": { - "type": "text" - }, - "host": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "input": { - "properties": { - "type": { - "type": "keyword" - } - } - }, - "location": { - "type": "keyword" - }, - "manager": { - "properties": { - "name": { - "type": "keyword" - } - } - }, - "message": { - "type": "text" - }, - "offset": { - "type": "keyword" - }, - "predecoder": { - "properties": { - "hostname": { - "type": "keyword" - }, - "program_name": { - "type": "keyword" - }, - "timestamp": { - "type": "keyword" - } - } - }, - "previous_log": { - "type": "text" - }, - "previous_output": { - "type": "keyword" - }, - "program_name": { - "type": "keyword" - }, - "rule": { - "properties": { - "cis": { - "type": "keyword" - }, - "cve": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "firedtimes": { - "type": "long" - }, - "frequency": { - "type": "long" - }, - "gdpr": { - "type": "keyword" - }, - "gpg13": { - "type": "keyword" - }, - "groups": { - "type": "keyword" - }, - "hipaa": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "info": { - "type": "keyword" - }, - "level": { - "type": "long" - }, - "mail": { - "type": "boolean" - }, - "mitre": { - "properties": { - "id": { - "type": "keyword" - }, - "tactic": { - "type": "keyword" - }, - "technique": { - "type": "keyword" - } - } - }, - "nist_800_53": { - "type": "keyword" - }, - "pci_dss": { - "type": "keyword" - }, - "tsc": { - "type": "keyword" - } - } - }, - "syscheck": { - "properties": { - "audit": { - "properties": { - "effective_user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "group": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "login_user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "process": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "ppid": { - "type": "keyword" - } - } - }, - "user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - } - } - }, - "diff": { - "type": "keyword" - }, - "event": { - "type": "keyword" - }, - "gid_after": { - "type": "keyword" - }, - "gid_before": { - "type": "keyword" - }, - "gname_after": { - "type": "keyword" - }, - "gname_before": { - "type": "keyword" - }, - "hard_links": { - "type": "keyword" - }, - "inode_after": { - "type": "keyword" - }, - "inode_before": { - "type": "keyword" - }, - "md5_after": { - "type": "keyword" - }, - "md5_before": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "mtime_after": { - "type": "date", - "format": "date_optional_time" - }, - "mtime_before": { - "type": "date", - "format": "date_optional_time" - }, - "path": { - "type": "keyword" - }, - "perm_after": { - "type": "keyword" - }, - "perm_before": { - "type": "keyword" - }, - "sha1_after": { - "type": "keyword" - }, - "sha1_before": { - "type": "keyword" - }, - "sha256_after": { - "type": "keyword" - }, - "sha256_before": { - "type": "keyword" - }, - "size_after": { - "type": "long" - }, - "size_before": { - "type": "long" - }, - "tags": { - "type": "keyword" - }, - "uid_after": { - "type": "keyword" - }, - "uid_before": { - "type": "keyword" - }, - "uname_after": { - "type": "keyword" - }, - "uname_before": { - "type": "keyword" - } - } - }, - "timestamp": { - "type": "date", - "format": "date_optional_time||epoch_millis" - }, - "title": { - "type": "keyword" - }, - "type": { - "type": "text" - } - } - }, - "aliases": {} - }, - "version": 1 -} diff --git a/integrations/elastic/logstash/pipeline/indexer-to-elastic.conf b/integrations/elastic/logstash/pipeline/indexer-to-elastic.conf deleted file mode 100644 index d9e734cae6992..0000000000000 --- a/integrations/elastic/logstash/pipeline/indexer-to-elastic.conf +++ /dev/null @@ -1,35 +0,0 @@ -input { - opensearch { - hosts => ["wazuh.indexer:9200"] - user => "${INDEXER_USERNAME}" - password => "${INDEXER_PASSWORD}" - ssl => true - ca_file => "/usr/share/logstash/root-ca.pem" - index => "wazuh-alerts-4.x-*" - query => '{ - "query": { - "range": { - "@timestamp": { - "gt": "now-1m" - } - } - } - }' - schedule => "* * * * *" - } -} - - -output { - elasticsearch { - hosts => "es01" - index => "wazuh-alerts-4.x-%{+YYYY.MM.dd}" - user => "elastic" - password => "elastic" - ssl => true - cacert => '/etc/certs/elastic/ca/ca.crt' - template => '/usr/share/logstash/pipeline/es_template.json' - template_name => 'wazuh' - template_overwrite => true - } -} diff --git a/integrations/elastic/logstash/setup.sh b/integrations/elastic/logstash/setup.sh deleted file mode 100644 index 4852d27efd5e1..0000000000000 --- a/integrations/elastic/logstash/setup.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/bash - -# This script creates and configures a keystore for Logstash to store -# indexer's credentials. NOTE: works only for dockerized logstash. -# Source: https://www.elastic.co/guide/en/logstash/current/keystore.html - -# Create keystore -/usr/share/logstash/bin/logstash-keystore create -echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_USERNAME -echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_PASSWORD diff --git a/integrations/logstash/Dockerfile b/integrations/logstash/Dockerfile deleted file mode 100644 index 0c487bc7b2ca1..0000000000000 --- a/integrations/logstash/Dockerfile +++ /dev/null @@ -1,19 +0,0 @@ -ARG LOGSTASH_OSS_VERSION -FROM opensearchproject/logstash-oss-with-opensearch-output-plugin:${LOGSTASH_OSS_VERSION} - -ENV LOGSTASH_KEYSTORE_PASS "SecretPassword" -ENV LS_PATH "/usr/share/logstash" -USER logstash - -# https://github.com/elastic/logstash/issues/6600 -# Install plugin -RUN LS_JAVA_OPTS="-Xms1024m -Xmx1024m" logstash-plugin install logstash-input-opensearch - -# Copy and run the setup.sh script to create and configure a keystore for Logstash. -COPY --chown=logstash:logstash ./setup.sh /usr/share/logstash/bin/setup.sh -RUN bash /usr/share/logstash/bin/setup.sh - -# Disable ECS compatibility -RUN `echo "pipeline.ecs_compatibility: disabled" >> /usr/share/logstash/config/logstash.yml` - -WORKDIR /usr/share/logstash diff --git a/integrations/logstash/setup.sh b/integrations/logstash/setup.sh deleted file mode 100644 index 4852d27efd5e1..0000000000000 --- a/integrations/logstash/setup.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/bash - -# This script creates and configures a keystore for Logstash to store -# indexer's credentials. NOTE: works only for dockerized logstash. -# Source: https://www.elastic.co/guide/en/logstash/current/keystore.html - -# Create keystore -/usr/share/logstash/bin/logstash-keystore create -echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_USERNAME -echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_PASSWORD diff --git a/integrations/opensearch/README.md b/integrations/opensearch/README.md deleted file mode 100644 index f6a9224f8093d..0000000000000 --- a/integrations/opensearch/README.md +++ /dev/null @@ -1,47 +0,0 @@ -# Wazuh to OpenSearch Integration Developer Guide - -This document describes how to prepare a Docker Compose environment to test the integration between Wazuh and the OpenSearch Stack. For a detailed guide on how to integrate Wazuh with OpenSearch Stack, please refer to the [Wazuh documentation](https://documentation.wazuh.com/current/integrations-guide/OpenSearch-stack/index.html). - -## Requirements - -- Docker and Docker Compose installed. - -## Usage - -1. Clone the Wazuh repository and navigate to the `integrations/` folder. -2. Run the following command to start the environment: - ```bash - docker compose -f ./docker/compose.indexer-opensearch.yml up -d - ``` - -The Docker Compose project will bring up the following services: - -- 1x Events Generator (learn more in [wazuh-indexer/integrations/tools/events-generator](../tools/events-generator/README.md)). -- 1x Wazuh Indexer (OpenSearch). -- 1x Logstash -- 1x OpenSearch -- 1x OpenSearch Dashboards - -For custom configurations, you may need to modify these files: - -- [docker/compose.indexer-opensearch.yml](../docker/compose.indexer-opensearch.yml): Docker Compose file. -- [docker/.env](../docker/.env): Environment variables file. -- [opensearch/logstash/pipeline/indexer-to-opensearch.conf](./logstash/pipeline/indexer-to-opensearch.conf): Logstash Pipeline configuration file. - -Check the files above for **credentials**, ports, and other configurations. - -| Service | Address | Credentials | -| --------------------- | ---------------------- | ----------- | -| Wazuh Indexer | https://localhost:9200 | admin:admin | -| OpenSearch | https://localhost:9201 | admin:admin | -| OpenSearch Dashboards | https://localhost:5602 | admin:admin | - -## Importing the dashboards - -The dashboards for OpenSearch are included in [dashboards.ndjson](./dashboards.ndjson). The steps to import them to OpenSearch are the following: - -- On OpenSearch Dashboards, expand the left menu, and go to `Dashboards Management`. -- Click on `Saved Objects`, select `Import`, click on the `Import` icon and browse the dashboard file. -- Click on Import and complete the process. - -Imported dashboards will appear in the `Dashboards` app on the left menu. diff --git a/integrations/opensearch/dashboards.ndjson b/integrations/opensearch/dashboards.ndjson deleted file mode 100644 index 678866f75dfa9..0000000000000 --- a/integrations/opensearch/dashboards.ndjson +++ /dev/null @@ -1,38 +0,0 @@ -{"attributes":{"fields":"[{\"count\":0,\"name\":\"@sampledata\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"@version\"}}},{\"count\":0,\"name\":\"GeoLocation.city_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"GeoLocation.city_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"GeoLocation.city_name\"}}},{\"count\":0,\"name\":\"GeoLocation.country_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"GeoLocation.country_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"GeoLocation.country_name\"}}},{\"count\":0,\"name\":\"GeoLocation.location.lat\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"GeoLocation.location.lon\",\"type\":\"number\",\"esTypes\":[\"float\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"GeoLocation.region_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"GeoLocation.region_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"GeoLocation.region_name\"}}},{\"count\":0,\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_score\",\"type\":\"number\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"_type\",\"type\":\"string\",\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.id\"}}},{\"count\":0,\"name\":\"agent.ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.ip\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.ip\"}}},{\"count\":0,\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.name\"}}},{\"count\":0,\"name\":\"cluster.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"cluster.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"cluster.name\"}}},{\"count\":0,\"name\":\"cluster.node\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"cluster.node\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"cluster.node\"}}},{\"count\":0,\"name\":\"data.audit.command\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.audit.command\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.audit.command\"}}},{\"count\":0,\"name\":\"data.audit.cwd\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.audit.cwd\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.audit.cwd\"}}},{\"count\":0,\"name\":\"data.audit.exe\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.audit.exe\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.audit.exe\"}}},{\"count\":0,\"name\":\"data.audit.file.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.audit.file.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.audit.file.name\"}}},{\"count\":0,\"name\":\"data.audit.success\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.audit.success\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.audit.success\"}}},{\"count\":0,\"name\":\"data.audit.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.audit.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.audit.type\"}}},{\"count\":0,\"name\":\"data.aws.accountId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.accountId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.accountId\"}}},{\"count\":0,\"name\":\"data.aws.actor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.actor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.actor\"}}},{\"count\":0,\"name\":\"data.aws.alert-arn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.alert-arn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.alert-arn\"}}},{\"count\":0,\"name\":\"data.aws.arn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.arn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.arn\"}}},{\"count\":0,\"name\":\"data.aws.created-at\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.createdAt\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.description\"}}},{\"count\":0,\"name\":\"data.aws.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.id\"}}},{\"count\":0,\"name\":\"data.aws.log_info.log_file\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.log_info.log_file\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.log_info.log_file\"}}},{\"count\":0,\"name\":\"data.aws.log_info.s3bucket\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.log_info.s3bucket\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.log_info.s3bucket\"}}},{\"count\":0,\"name\":\"data.aws.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.name\"}}},{\"count\":0,\"name\":\"data.aws.notification-type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.notification-type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.notification-type\"}}},{\"count\":0,\"name\":\"data.aws.partition\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.partition\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.partition\"}}},{\"count\":0,\"name\":\"data.aws.region\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.region\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.region\"}}},{\"count\":0,\"name\":\"data.aws.resource.accessKeyDetails.principalId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.accessKeyDetails.principalId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.accessKeyDetails.principalId\"}}},{\"count\":0,\"name\":\"data.aws.resource.accessKeyDetails.userName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.accessKeyDetails.userName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.accessKeyDetails.userName\"}}},{\"count\":0,\"name\":\"data.aws.resource.accessKeyDetails.userType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.accessKeyDetails.userType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.accessKeyDetails.userType\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.availabilityZone\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.availabilityZone\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.availabilityZone\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.iamInstanceProfile.arn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.iamInstanceProfile.arn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.iamInstanceProfile.arn\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.iamInstanceProfile.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.iamInstanceProfile.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.iamInstanceProfile.id\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.imageDescription\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.imageDescription\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.imageDescription\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.imageId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.imageId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.imageId\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.instanceId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.instanceId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.instanceId\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.instanceState\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.instanceState\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.instanceState\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.instanceType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.instanceType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.instanceType\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.launchTime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.networkInterfaceId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.networkInterfaceId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.networkInterfaceId\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.privateDnsName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.privateDnsName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.privateDnsName\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.privateIpAddress\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.privateIpAddress\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.privateIpAddress\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.publicDnsName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.publicDnsName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.publicDnsName\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.publicIp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.publicIp\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.publicIp\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.subnetId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.subnetId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.subnetId\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.vpcId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.networkInterfaces.vpcId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.networkInterfaces.vpcId\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.productCodes.productCodeId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.productCodes.productCodeId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.productCodes.productCodeId\"}}},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.productCodes.productCodeType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.instanceDetails.productCodes.productCodeType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.instanceDetails.productCodes.productCodeType\"}}},{\"count\":0,\"name\":\"data.aws.resource.resourceType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.resource.resourceType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.resource.resourceType\"}}},{\"count\":0,\"name\":\"data.aws.risk-score\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.risk-score\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.risk-score\"}}},{\"count\":0,\"name\":\"data.aws.schemaVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.schemaVersion\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.schemaVersion\"}}},{\"count\":0,\"name\":\"data.aws.service.action.actionType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.actionType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.actionType\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.api\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.api\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.api\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.callerType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.callerType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.callerType\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.city.cityName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.city.cityName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.city.cityName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.country.countryName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.country.countryName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.country.countryName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.geoLocation.lat\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.geoLocation.lat\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.geoLocation.lat\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.geoLocation.lon\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.geoLocation.lon\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.geoLocation.lon\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.ipAddressV4\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.asn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.asn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.asn\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.isp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.isp\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.isp\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.org\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.remoteIpDetails.organization.org\"}}},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.serviceName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.awsApiCallAction.serviceName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.awsApiCallAction.serviceName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.blocked\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.blocked\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.blocked\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.connectionDirection\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.connectionDirection\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.connectionDirection\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.localIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.localIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.localIpDetails.ipAddressV4\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.localPortDetails.port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.localPortDetails.port\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.localPortDetails.port\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.localPortDetails.portName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.localPortDetails.portName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.localPortDetails.portName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.protocol\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.city.cityName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.city.cityName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.city.cityName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.country.countryName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.country.countryName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.country.countryName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.geoLocation.lat\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.geoLocation.lat\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.geoLocation.lat\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.geoLocation.lon\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.geoLocation.lon\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.geoLocation.lon\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.asn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.asn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.asn\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.isp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.isp\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.isp\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.org\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remoteIpDetails.organization.org\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remotePortDetails.port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remotePortDetails.port\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remotePortDetails.port\"}}},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remotePortDetails.portName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.networkConnectionAction.remotePortDetails.portName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.networkConnectionAction.remotePortDetails.portName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.blocked\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.blocked\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.blocked\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.localPortDetails.port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.localPortDetails.port\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.localPortDetails.port\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.localPortDetails.portName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.localPortDetails.portName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.localPortDetails.portName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.city.cityName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.city.cityName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.city.cityName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryName\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lat\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lat\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lat\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lon\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lon\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lon\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV4\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV4\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asn\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asnOrg\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asnOrg\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asnOrg\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.isp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.isp\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.isp\"}}},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.org\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.org\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.inBytes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.inBytes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.inBytes\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.localPort\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.localPort\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.localPort\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.outBytes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.outBytes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.outBytes\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.recentApiCalls.api\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.recentApiCalls.api\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.recentApiCalls.api\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.recentApiCalls.count\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.recentApiCalls.count\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.recentApiCalls.count\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.threatListName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.threatListName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.threatListName\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.threatName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.threatName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.threatName\"}}},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.unusual\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.additionalInfo.unusual\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.additionalInfo.unusual\"}}},{\"count\":0,\"name\":\"data.aws.service.archived\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.archived\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.archived\"}}},{\"count\":0,\"name\":\"data.aws.service.count\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.count\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.count\"}}},{\"count\":0,\"name\":\"data.aws.service.detectorId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.detectorId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.detectorId\"}}},{\"count\":0,\"name\":\"data.aws.service.eventFirstSeen\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.service.eventLastSeen\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.service.resourceRole\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.resourceRole\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.resourceRole\"}}},{\"count\":0,\"name\":\"data.aws.service.serviceName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.service.serviceName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.service.serviceName\"}}},{\"count\":0,\"name\":\"data.aws.severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.severity\"}}},{\"count\":0,\"name\":\"data.aws.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.source\"}}},{\"count\":0,\"name\":\"data.aws.summary.ACL.resources.wazuh.com.Owner.DisplayName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.ACL.resources.wazuh.com.Owner.DisplayName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.ACL.resources.wazuh.com.Owner.DisplayName\"}}},{\"count\":0,\"name\":\"data.aws.summary.ACL.resources.wazuh.com.Owner.ID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.ACL.resources.wazuh.com.Owner.ID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.ACL.resources.wazuh.com.Owner.ID\"}}},{\"count\":0,\"name\":\"data.aws.summary.Bucket\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.Bucket\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.Bucket\"}}},{\"count\":0,\"name\":\"data.aws.summary.Description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.Description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.Description\"}}},{\"count\":0,\"name\":\"data.aws.summary.Event Count\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.Event Count\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.Event Count\"}}},{\"count\":0,\"name\":\"data.aws.summary.Record Count\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.Record Count\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.Record Count\"}}},{\"count\":0,\"name\":\"data.aws.summary.Timestamps\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.summary.recipientAccountId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.summary.recipientAccountId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.summary.recipientAccountId\"}}},{\"count\":0,\"name\":\"data.aws.tags.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.tags.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.tags.value\"}}},{\"count\":0,\"name\":\"data.aws.title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.title\"}}},{\"count\":0,\"name\":\"data.aws.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.type\"}}},{\"count\":0,\"name\":\"data.aws.updatedAt\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.aws.url\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.aws.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.aws.url\"}}},{\"count\":0,\"name\":\"data.docker.Action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Action\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.container\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.container\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.container\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.execID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.execID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.execID\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.exitCode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.exitCode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.exitCode\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.image\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.image\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.image\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.license\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.license\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.maintainer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.maintainer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.maintainer\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.name\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.build-date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.build-date\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.build-date\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.license\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.license\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.license\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.name\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.schema-version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.schema-version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.schema-version\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.url\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.url\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.vcs-url\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.vcs-url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.vcs-url\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.vendor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.vendor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.vendor\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.org.label-schema.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.org.label-schema.version\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.signal\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.signal\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.signal\"}}},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.Attributes.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.Attributes.type\"}}},{\"count\":0,\"name\":\"data.docker.Actor.ID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Actor.ID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Actor.ID\"}}},{\"count\":0,\"name\":\"data.docker.Type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.Type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.Type\"}}},{\"count\":0,\"name\":\"data.docker.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.from\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.from\"}}},{\"count\":0,\"name\":\"data.docker.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.id\"}}},{\"count\":0,\"name\":\"data.docker.level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.level\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.level\"}}},{\"count\":0,\"name\":\"data.docker.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.message\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.message\"}}},{\"count\":0,\"name\":\"data.docker.scope\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.scope\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.scope\"}}},{\"count\":0,\"name\":\"data.docker.status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.status\"}}},{\"count\":0,\"name\":\"data.docker.time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.time\"}}},{\"count\":0,\"name\":\"data.docker.timeNano\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.docker.timeNano\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.docker.timeNano\"}}},{\"count\":0,\"name\":\"data.dstuser\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.dstuser\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.dstuser\"}}},{\"count\":0,\"name\":\"data.euid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.euid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.euid\"}}},{\"count\":0,\"name\":\"data.extra_data\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.extra_data\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.extra_data\"}}},{\"count\":0,\"name\":\"data.file\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.file\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.file\"}}},{\"count\":0,\"name\":\"data.gcp.insertId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.insertId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.insertId\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.authAnswer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.authAnswer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.authAnswer\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.protocol\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.queryName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.queryName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.queryName\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.queryType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.queryType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.queryType\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.responseCode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.responseCode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.responseCode\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.sourceIP\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.sourceIP\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.sourceIP\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.vmInstanceId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.vmInstanceId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.vmInstanceId\"}}},{\"count\":0,\"name\":\"data.gcp.jsonPayload.vmInstanceName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.jsonPayload.vmInstanceName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.jsonPayload.vmInstanceName\"}}},{\"count\":0,\"name\":\"data.gcp.logName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.logName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.logName\"}}},{\"count\":0,\"name\":\"data.gcp.receiveTimestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.gcp.resource.labels.location\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.resource.labels.location\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.resource.labels.location\"}}},{\"count\":0,\"name\":\"data.gcp.resource.labels.project_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.resource.labels.project_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.resource.labels.project_id\"}}},{\"count\":0,\"name\":\"data.gcp.resource.labels.source_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.resource.labels.source_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.resource.labels.source_type\"}}},{\"count\":0,\"name\":\"data.gcp.resource.labels.target_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.resource.labels.target_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.resource.labels.target_type\"}}},{\"count\":0,\"name\":\"data.gcp.resource.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.resource.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.resource.type\"}}},{\"count\":0,\"name\":\"data.gcp.severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.gcp.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.gcp.severity\"}}},{\"count\":0,\"name\":\"data.gcp.timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.github.@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.github._document_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github._document_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github._document_id\"}}},{\"count\":0,\"name\":\"data.github.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.action\"}}},{\"count\":0,\"name\":\"data.github.active\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.active\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.active\"}}},{\"count\":0,\"name\":\"data.github.actor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.actor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.actor\"}}},{\"count\":0,\"name\":\"data.github.actor_location.country_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.actor_location.country_code\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.actor_location.country_code\"}}},{\"count\":0,\"name\":\"data.github.config.content_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.config.content_type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.config.content_type\"}}},{\"count\":0,\"name\":\"data.github.config.insecure_ssl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.config.insecure_ssl\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.config.insecure_ssl\"}}},{\"count\":0,\"name\":\"data.github.config.secret\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.config.secret\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.config.secret\"}}},{\"count\":0,\"name\":\"data.github.config.url\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.config.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.config.url\"}}},{\"count\":0,\"name\":\"data.github.created_at\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.github.events\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.events\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.events\"}}},{\"count\":0,\"name\":\"data.github.events_were\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.events_were\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.events_were\"}}},{\"count\":0,\"name\":\"data.github.hook_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.hook_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.hook_id\"}}},{\"count\":0,\"name\":\"data.github.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.name\"}}},{\"count\":0,\"name\":\"data.github.org\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.org\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.org\"}}},{\"count\":0,\"name\":\"data.github.repo\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.repo\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.repo\"}}},{\"count\":0,\"name\":\"data.github.repository\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.repository\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.repository\"}}},{\"count\":0,\"name\":\"data.github.repository_public\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.repository_public\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.repository_public\"}}},{\"count\":0,\"name\":\"data.github.team\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.team\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.team\"}}},{\"count\":0,\"name\":\"data.github.transport_protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.transport_protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.transport_protocol\"}}},{\"count\":0,\"name\":\"data.github.transport_protocol_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.transport_protocol_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.transport_protocol_name\"}}},{\"count\":0,\"name\":\"data.github.user\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.user\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.user\"}}},{\"count\":0,\"name\":\"data.github.visibility\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.github.visibility\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.github.visibility\"}}},{\"count\":0,\"name\":\"data.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.id\"}}},{\"count\":0,\"name\":\"data.integration\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.integration\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.integration\"}}},{\"count\":0,\"name\":\"data.office365.AadAppId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.AadAppId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.AadAppId\"}}},{\"count\":0,\"name\":\"data.office365.Actor.ID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Actor.ID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Actor.ID\"}}},{\"count\":0,\"name\":\"data.office365.Actor.Type\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.ActorContextId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ActorContextId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ActorContextId\"}}},{\"count\":0,\"name\":\"data.office365.ActorIpAddress\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ActorIpAddress\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ActorIpAddress\"}}},{\"count\":0,\"name\":\"data.office365.ApplicationId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ApplicationId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ApplicationId\"}}},{\"count\":0,\"name\":\"data.office365.AzureActiveDirectoryEventType\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.ClientApplication\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ClientApplication\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ClientApplication\"}}},{\"count\":0,\"name\":\"data.office365.ClientIP\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ClientIP\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ClientIP\"}}},{\"count\":0,\"name\":\"data.office365.ClientIPAddress\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ClientIPAddress\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ClientIPAddress\"}}},{\"count\":0,\"name\":\"data.office365.ClientInfoString\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ClientInfoString\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ClientInfoString\"}}},{\"count\":0,\"name\":\"data.office365.CmdletVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.CmdletVersion\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.CmdletVersion\"}}},{\"count\":0,\"name\":\"data.office365.CorrelationId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.CorrelationId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.CorrelationId\"}}},{\"count\":0,\"name\":\"data.office365.CreationTime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.CustomUniqueId\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.CustomizedDoclib\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.DataType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DataType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DataType\"}}},{\"count\":0,\"name\":\"data.office365.DatabaseType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DatabaseType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DatabaseType\"}}},{\"count\":0,\"name\":\"data.office365.DestinationFileExtension\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DestinationFileExtension\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DestinationFileExtension\"}}},{\"count\":0,\"name\":\"data.office365.DestinationFileName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DestinationFileName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DestinationFileName\"}}},{\"count\":0,\"name\":\"data.office365.DestinationRelativeUrl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DestinationRelativeUrl\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DestinationRelativeUrl\"}}},{\"count\":0,\"name\":\"data.office365.DeviceProperties.Name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DeviceProperties.Name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DeviceProperties.Name\"}}},{\"count\":0,\"name\":\"data.office365.DeviceProperties.Value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.DeviceProperties.Value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.DeviceProperties.Value\"}}},{\"count\":0,\"name\":\"data.office365.DoNotDistributeEvent\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.EffectiveOrganization\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.EffectiveOrganization\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.EffectiveOrganization\"}}},{\"count\":0,\"name\":\"data.office365.ErrorNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ErrorNumber\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ErrorNumber\"}}},{\"count\":0,\"name\":\"data.office365.EventData\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.EventData\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.EventData\"}}},{\"count\":0,\"name\":\"data.office365.EventSource\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.EventSource\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.EventSource\"}}},{\"count\":0,\"name\":\"data.office365.ExtendedProperties.Name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ExtendedProperties.Name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ExtendedProperties.Name\"}}},{\"count\":0,\"name\":\"data.office365.ExtendedProperties.Value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ExtendedProperties.Value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ExtendedProperties.Value\"}}},{\"count\":0,\"name\":\"data.office365.ExternalAccess\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.FromApp\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.HighPriorityMediaProcessing\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.Id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Id\"}}},{\"count\":0,\"name\":\"data.office365.InterSystemsId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.InterSystemsId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.InterSystemsId\"}}},{\"count\":0,\"name\":\"data.office365.InternalLogonType\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.IntraSystemId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.IntraSystemId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.IntraSystemId\"}}},{\"count\":0,\"name\":\"data.office365.IsDocLib\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.Item.Attachments\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.Attachments\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.Attachments\"}}},{\"count\":0,\"name\":\"data.office365.Item.Id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.Id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.Id\"}}},{\"count\":0,\"name\":\"data.office365.Item.InternetMessageId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.InternetMessageId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.InternetMessageId\"}}},{\"count\":0,\"name\":\"data.office365.Item.IsRecord\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.Id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.Id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.ParentFolder.Id\"}}},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.MemberRights\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.MemberRights\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.ParentFolder.MemberRights\"}}},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.MemberSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.MemberSid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.ParentFolder.MemberSid\"}}},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.MemberUpn\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.MemberUpn\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.ParentFolder.MemberUpn\"}}},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.Name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.Name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.ParentFolder.Name\"}}},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.Path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.ParentFolder.Path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.ParentFolder.Path\"}}},{\"count\":0,\"name\":\"data.office365.Item.Subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Item.Subject\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Item.Subject\"}}},{\"count\":0,\"name\":\"data.office365.ItemCount\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.ItemType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ItemType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ItemType\"}}},{\"count\":0,\"name\":\"data.office365.ListBaseTemplateType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListBaseTemplateType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListBaseTemplateType\"}}},{\"count\":0,\"name\":\"data.office365.ListBaseType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListBaseType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListBaseType\"}}},{\"count\":0,\"name\":\"data.office365.ListColor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListColor\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListColor\"}}},{\"count\":0,\"name\":\"data.office365.ListIcon\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListIcon\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListIcon\"}}},{\"count\":0,\"name\":\"data.office365.ListId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListId\"}}},{\"count\":0,\"name\":\"data.office365.ListItemUniqueId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListItemUniqueId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListItemUniqueId\"}}},{\"count\":0,\"name\":\"data.office365.ListTitle\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ListTitle\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ListTitle\"}}},{\"count\":0,\"name\":\"data.office365.LogonType\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.LogonUserSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.LogonUserSid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.LogonUserSid\"}}},{\"count\":0,\"name\":\"data.office365.MailboxGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.MailboxGuid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.MailboxGuid\"}}},{\"count\":0,\"name\":\"data.office365.MailboxOwnerMasterAccountSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.MailboxOwnerMasterAccountSid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.MailboxOwnerMasterAccountSid\"}}},{\"count\":0,\"name\":\"data.office365.MailboxOwnerSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.MailboxOwnerSid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.MailboxOwnerSid\"}}},{\"count\":0,\"name\":\"data.office365.MailboxOwnerUPN\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.MailboxOwnerUPN\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.MailboxOwnerUPN\"}}},{\"count\":0,\"name\":\"data.office365.ModifiedProperties.Name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ModifiedProperties.Name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ModifiedProperties.Name\"}}},{\"count\":0,\"name\":\"data.office365.ModifiedProperties.NewValue\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ModifiedProperties.NewValue\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ModifiedProperties.NewValue\"}}},{\"count\":0,\"name\":\"data.office365.ModifiedProperties.OldValue\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ModifiedProperties.OldValue\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ModifiedProperties.OldValue\"}}},{\"count\":0,\"name\":\"data.office365.NonPIIParameters\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.NonPIIParameters\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.NonPIIParameters\"}}},{\"count\":0,\"name\":\"data.office365.ObjectId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ObjectId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ObjectId\"}}},{\"count\":0,\"name\":\"data.office365.Operation\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Operation\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Operation\"}}},{\"count\":0,\"name\":\"data.office365.OrganizationId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.OrganizationId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.OrganizationId\"}}},{\"count\":0,\"name\":\"data.office365.OrganizationName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.OrganizationName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.OrganizationName\"}}},{\"count\":0,\"name\":\"data.office365.OriginatingServer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.OriginatingServer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.OriginatingServer\"}}},{\"count\":0,\"name\":\"data.office365.Parameters\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Parameters\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Parameters\"}}},{\"count\":0,\"name\":\"data.office365.RecordType\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.RelativeUrl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.RelativeUrl\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.RelativeUrl\"}}},{\"count\":0,\"name\":\"data.office365.ResultCount\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ResultCount\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ResultCount\"}}},{\"count\":0,\"name\":\"data.office365.ResultStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.ResultStatus\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.ResultStatus\"}}},{\"count\":0,\"name\":\"data.office365.SecurityComplianceCenterEventType\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.Site\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Site\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Site\"}}},{\"count\":0,\"name\":\"data.office365.SiteUrl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.SiteUrl\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.SiteUrl\"}}},{\"count\":0,\"name\":\"data.office365.Source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Source\"}}},{\"count\":0,\"name\":\"data.office365.SourceFileExtension\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.SourceFileExtension\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.SourceFileExtension\"}}},{\"count\":0,\"name\":\"data.office365.SourceFileName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.SourceFileName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.SourceFileName\"}}},{\"count\":0,\"name\":\"data.office365.SourceRelativeUrl\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.SourceRelativeUrl\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.SourceRelativeUrl\"}}},{\"count\":0,\"name\":\"data.office365.StartTime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.Subscription\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Subscription\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Subscription\"}}},{\"count\":0,\"name\":\"data.office365.SupportTicketId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.SupportTicketId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.SupportTicketId\"}}},{\"count\":0,\"name\":\"data.office365.Target.ID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Target.ID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Target.ID\"}}},{\"count\":0,\"name\":\"data.office365.Target.Type\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.TargetContextId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.TargetContextId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.TargetContextId\"}}},{\"count\":0,\"name\":\"data.office365.TargetUserOrGroupName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.TargetUserOrGroupName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.TargetUserOrGroupName\"}}},{\"count\":0,\"name\":\"data.office365.TargetUserOrGroupType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.TargetUserOrGroupType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.TargetUserOrGroupType\"}}},{\"count\":0,\"name\":\"data.office365.TemplateTypeId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.TemplateTypeId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.TemplateTypeId\"}}},{\"count\":0,\"name\":\"data.office365.UserAgent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.UserAgent\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.UserAgent\"}}},{\"count\":0,\"name\":\"data.office365.UserId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.UserId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.UserId\"}}},{\"count\":0,\"name\":\"data.office365.UserKey\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.UserKey\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.UserKey\"}}},{\"count\":0,\"name\":\"data.office365.UserServicePlan\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.UserServicePlan\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.UserServicePlan\"}}},{\"count\":0,\"name\":\"data.office365.UserType\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.Version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.office365.WebId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.WebId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.WebId\"}}},{\"count\":0,\"name\":\"data.office365.Workload\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.office365.Workload\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.office365.Workload\"}}},{\"count\":0,\"name\":\"data.oscap.check.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.description\"}}},{\"count\":0,\"name\":\"data.oscap.check.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.id\"}}},{\"count\":0,\"name\":\"data.oscap.check.identifiers\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.identifiers\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.identifiers\"}}},{\"count\":0,\"name\":\"data.oscap.check.oval.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.oval.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.oval.id\"}}},{\"count\":0,\"name\":\"data.oscap.check.rationale\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.rationale\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.rationale\"}}},{\"count\":0,\"name\":\"data.oscap.check.references\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.references\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.references\"}}},{\"count\":0,\"name\":\"data.oscap.check.result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.result\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.result\"}}},{\"count\":0,\"name\":\"data.oscap.check.severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.severity\"}}},{\"count\":0,\"name\":\"data.oscap.check.title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.check.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.check.title\"}}},{\"count\":0,\"name\":\"data.oscap.scan.benchmark.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.scan.benchmark.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.scan.benchmark.id\"}}},{\"count\":0,\"name\":\"data.oscap.scan.content\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.scan.content\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.scan.content\"}}},{\"count\":0,\"name\":\"data.oscap.scan.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.scan.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.scan.id\"}}},{\"count\":0,\"name\":\"data.oscap.scan.profile.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.scan.profile.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.scan.profile.id\"}}},{\"count\":0,\"name\":\"data.oscap.scan.profile.title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.scan.profile.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.scan.profile.title\"}}},{\"count\":0,\"name\":\"data.oscap.scan.score\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.oscap.scan.score\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.oscap.scan.score\"}}},{\"count\":0,\"name\":\"data.osquery.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.action\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.action\"}}},{\"count\":0,\"name\":\"data.osquery.calendarTime\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.osquery.columns.atime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.atime\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.atime\"}}},{\"count\":0,\"name\":\"data.osquery.columns.average_memory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.average_memory\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.average_memory\"}}},{\"count\":0,\"name\":\"data.osquery.columns.avg_system_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.avg_system_time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.avg_system_time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.avg_user_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.avg_user_time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.avg_user_time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.block_size\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.block_size\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.block_size\"}}},{\"count\":0,\"name\":\"data.osquery.columns.blocks\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.blocks\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.blocks\"}}},{\"count\":0,\"name\":\"data.osquery.columns.blocks_available\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.blocks_available\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.blocks_available\"}}},{\"count\":0,\"name\":\"data.osquery.columns.blocks_free\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.blocks_free\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.blocks_free\"}}},{\"count\":0,\"name\":\"data.osquery.columns.blocks_size\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.blocks_size\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.blocks_size\"}}},{\"count\":0,\"name\":\"data.osquery.columns.build_distro\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.build_distro\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.build_distro\"}}},{\"count\":0,\"name\":\"data.osquery.columns.build_platform\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.build_platform\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.build_platform\"}}},{\"count\":0,\"name\":\"data.osquery.columns.bytes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.bytes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.bytes\"}}},{\"count\":0,\"name\":\"data.osquery.columns.chain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.chain\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.chain\"}}},{\"count\":0,\"name\":\"data.osquery.columns.config_hash\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.config_hash\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.config_hash\"}}},{\"count\":0,\"name\":\"data.osquery.columns.config_valid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.config_valid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.config_valid\"}}},{\"count\":0,\"name\":\"data.osquery.columns.counter\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.counter\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.counter\"}}},{\"count\":0,\"name\":\"data.osquery.columns.ctime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.ctime\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.ctime\"}}},{\"count\":0,\"name\":\"data.osquery.columns.device\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.device\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.device\"}}},{\"count\":0,\"name\":\"data.osquery.columns.device_alias\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.device_alias\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.device_alias\"}}},{\"count\":0,\"name\":\"data.osquery.columns.dst_ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.dst_ip\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.dst_ip\"}}},{\"count\":0,\"name\":\"data.osquery.columns.dst_mask\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.dst_mask\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.dst_mask\"}}},{\"count\":0,\"name\":\"data.osquery.columns.end\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.end\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.end\"}}},{\"count\":0,\"name\":\"data.osquery.columns.executions\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.executions\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.executions\"}}},{\"count\":0,\"name\":\"data.osquery.columns.extensions\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.extensions\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.extensions\"}}},{\"count\":0,\"name\":\"data.osquery.columns.filter_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.filter_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.filter_name\"}}},{\"count\":0,\"name\":\"data.osquery.columns.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.flags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.flags\"}}},{\"count\":0,\"name\":\"data.osquery.columns.gid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.gid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.gid\"}}},{\"count\":0,\"name\":\"data.osquery.columns.iniface\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.iniface\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.iniface\"}}},{\"count\":0,\"name\":\"data.osquery.columns.inode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.inode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.inode\"}}},{\"count\":0,\"name\":\"data.osquery.columns.inodes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.inodes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.inodes\"}}},{\"count\":0,\"name\":\"data.osquery.columns.inodes_free\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.inodes_free\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.inodes_free\"}}},{\"count\":0,\"name\":\"data.osquery.columns.instance_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.instance_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.instance_id\"}}},{\"count\":0,\"name\":\"data.osquery.columns.interval\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.interval\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.interval\"}}},{\"count\":0,\"name\":\"data.osquery.columns.key\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.key\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.key\"}}},{\"count\":0,\"name\":\"data.osquery.columns.last_executed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.last_executed\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.last_executed\"}}},{\"count\":0,\"name\":\"data.osquery.columns.match\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.match\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.match\"}}},{\"count\":0,\"name\":\"data.osquery.columns.memory_free\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.memory_free\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.memory_free\"}}},{\"count\":0,\"name\":\"data.osquery.columns.memory_free_perc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.memory_free_perc\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.memory_free_perc\"}}},{\"count\":0,\"name\":\"data.osquery.columns.memory_total\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.memory_total\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.memory_total\"}}},{\"count\":0,\"name\":\"data.osquery.columns.mode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.mode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.mode\"}}},{\"count\":0,\"name\":\"data.osquery.columns.mtime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.mtime\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.mtime\"}}},{\"count\":0,\"name\":\"data.osquery.columns.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.name\"}}},{\"count\":0,\"name\":\"data.osquery.columns.offset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.offset\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.offset\"}}},{\"count\":0,\"name\":\"data.osquery.columns.outiface\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.outiface\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.outiface\"}}},{\"count\":0,\"name\":\"data.osquery.columns.outiface_mask\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.outiface_mask\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.outiface_mask\"}}},{\"count\":0,\"name\":\"data.osquery.columns.output_size\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.output_size\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.output_size\"}}},{\"count\":0,\"name\":\"data.osquery.columns.packets\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.packets\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.packets\"}}},{\"count\":0,\"name\":\"data.osquery.columns.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.path\"}}},{\"count\":0,\"name\":\"data.osquery.columns.permissions\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.permissions\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.permissions\"}}},{\"count\":0,\"name\":\"data.osquery.columns.pid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.pid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.pid\"}}},{\"count\":0,\"name\":\"data.osquery.columns.policy\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.policy\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.policy\"}}},{\"count\":0,\"name\":\"data.osquery.columns.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.protocol\"}}},{\"count\":0,\"name\":\"data.osquery.columns.pseudo\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.pseudo\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.pseudo\"}}},{\"count\":0,\"name\":\"data.osquery.columns.resident_size\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.resident_size\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.resident_size\"}}},{\"count\":0,\"name\":\"data.osquery.columns.src_ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.src_ip\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.src_ip\"}}},{\"count\":0,\"name\":\"data.osquery.columns.src_mask\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.src_mask\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.src_mask\"}}},{\"count\":0,\"name\":\"data.osquery.columns.start\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.start\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.start\"}}},{\"count\":0,\"name\":\"data.osquery.columns.start_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.start_time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.start_time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.system_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.system_time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.system_time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.target\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.target\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.target\"}}},{\"count\":0,\"name\":\"data.osquery.columns.threshold\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.threshold\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.threshold\"}}},{\"count\":0,\"name\":\"data.osquery.columns.time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.tty\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.tty\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.tty\"}}},{\"count\":0,\"name\":\"data.osquery.columns.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.type\"}}},{\"count\":0,\"name\":\"data.osquery.columns.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.uid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.uid\"}}},{\"count\":0,\"name\":\"data.osquery.columns.user_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.user_time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.user_time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.uuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.uuid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.uuid\"}}},{\"count\":0,\"name\":\"data.osquery.columns.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.value\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.value\"}}},{\"count\":0,\"name\":\"data.osquery.columns.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.version\"}}},{\"count\":0,\"name\":\"data.osquery.columns.wall_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.wall_time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.wall_time\"}}},{\"count\":0,\"name\":\"data.osquery.columns.watcher\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.columns.watcher\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.columns.watcher\"}}},{\"count\":0,\"name\":\"data.osquery.counter\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.counter\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.counter\"}}},{\"count\":0,\"name\":\"data.osquery.epoch\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.epoch\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.epoch\"}}},{\"count\":0,\"name\":\"data.osquery.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.name\"}}},{\"count\":0,\"name\":\"data.osquery.pack\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.pack\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.pack\"}}},{\"count\":0,\"name\":\"data.osquery.subquery\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.osquery.subquery\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.osquery.subquery\"}}},{\"count\":0,\"name\":\"data.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.protocol\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.protocol\"}}},{\"count\":0,\"name\":\"data.scope\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.scope\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.scope\"}}},{\"count\":0,\"name\":\"data.srcip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.srcip\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.srcip\"}}},{\"count\":0,\"name\":\"data.srcport\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.srcport\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.srcport\"}}},{\"count\":0,\"name\":\"data.srcuser\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.srcuser\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.srcuser\"}}},{\"count\":0,\"name\":\"data.status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.status\"}}},{\"count\":0,\"name\":\"data.system_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.system_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.system_name\"}}},{\"count\":0,\"name\":\"data.time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.time\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.time\"}}},{\"count\":0,\"name\":\"data.timeNano\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.timeNano\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.timeNano\"}}},{\"count\":0,\"name\":\"data.title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.title\"}}},{\"count\":0,\"name\":\"data.tty\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.tty\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.tty\"}}},{\"count\":0,\"name\":\"data.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.type\"}}},{\"count\":0,\"name\":\"data.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.uid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.uid\"}}},{\"count\":0,\"name\":\"data.url\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.url\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.url\"}}},{\"count\":0,\"name\":\"data.virustotal.found\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.found\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.found\"}}},{\"count\":0,\"name\":\"data.virustotal.malicious\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.virustotal.permalink\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.permalink\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.permalink\"}}},{\"count\":0,\"name\":\"data.virustotal.positives\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.positives\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.positives\"}}},{\"count\":0,\"name\":\"data.virustotal.scan_date\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.virustotal.source.alert_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.source.alert_id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.source.alert_id\"}}},{\"count\":0,\"name\":\"data.virustotal.source.file\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.source.file\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.source.file\"}}},{\"count\":0,\"name\":\"data.virustotal.source.md5\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.source.md5\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.source.md5\"}}},{\"count\":0,\"name\":\"data.virustotal.source.sha1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.source.sha1\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.source.sha1\"}}},{\"count\":0,\"name\":\"data.virustotal.total\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.virustotal.total\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.virustotal.total\"}}},{\"count\":0,\"name\":\"data.vulnerability.assigner\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.assigner\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.assigner\"}}},{\"count\":0,\"name\":\"data.vulnerability.bugzilla_references\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.bugzilla_references\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.bugzilla_references\"}}},{\"count\":0,\"name\":\"data.vulnerability.cve\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cve\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cve\"}}},{\"count\":0,\"name\":\"data.vulnerability.cve_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cve_version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cve_version\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.base_score\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.base_score\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.base_score\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.access_complexity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.access_complexity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.vector.access_complexity\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.attack_vector\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.attack_vector\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.vector.attack_vector\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.authentication\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.authentication\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.vector.authentication\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.availability\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.availability\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.vector.availability\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.confidentiality_impact\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.confidentiality_impact\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.vector.confidentiality_impact\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.integrity_impact\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss2.vector.integrity_impact\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss2.vector.integrity_impact\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.base_score\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.base_score\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.base_score\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.access_complexity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.access_complexity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.access_complexity\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.attack_vector\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.attack_vector\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.attack_vector\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.availability\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.availability\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.availability\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.confidentiality_impact\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.confidentiality_impact\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.confidentiality_impact\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.integrity_impact\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.integrity_impact\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.integrity_impact\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.privileges_required\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.privileges_required\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.privileges_required\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.scope\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.scope\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.scope\"}}},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.user_interaction\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cvss.cvss3.vector.user_interaction\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cvss.cvss3.vector.user_interaction\"}}},{\"count\":0,\"name\":\"data.vulnerability.cwe_reference\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.cwe_reference\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.cwe_reference\"}}},{\"count\":0,\"name\":\"data.vulnerability.package.architecture\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.package.architecture\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.package.architecture\"}}},{\"count\":0,\"name\":\"data.vulnerability.package.condition\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.package.condition\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.package.condition\"}}},{\"count\":0,\"name\":\"data.vulnerability.package.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.package.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.package.name\"}}},{\"count\":0,\"name\":\"data.vulnerability.package.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.package.source\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.package.source\"}}},{\"count\":0,\"name\":\"data.vulnerability.package.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.package.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.package.version\"}}},{\"count\":0,\"name\":\"data.vulnerability.published\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.vulnerability.rationale\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.rationale\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.rationale\"}}},{\"count\":0,\"name\":\"data.vulnerability.references\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.references\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.references\"}}},{\"count\":0,\"name\":\"data.vulnerability.severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.severity\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.severity\"}}},{\"count\":0,\"name\":\"data.vulnerability.state\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.state\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.state\"}}},{\"count\":0,\"name\":\"data.vulnerability.title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.vulnerability.title\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.vulnerability.title\"}}},{\"count\":0,\"name\":\"data.vulnerability.updated\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.win.eventdata.authenticationPackageName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.authenticationPackageName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.authenticationPackageName\"}}},{\"count\":0,\"name\":\"data.win.eventdata.failureReason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.failureReason\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.failureReason\"}}},{\"count\":0,\"name\":\"data.win.eventdata.ipAddress\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.ipAddress\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.ipAddress\"}}},{\"count\":0,\"name\":\"data.win.eventdata.ipPort\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.ipPort\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.ipPort\"}}},{\"count\":0,\"name\":\"data.win.eventdata.keyLength\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.win.eventdata.logonProcessName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.logonProcessName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.logonProcessName\"}}},{\"count\":0,\"name\":\"data.win.eventdata.logonType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.logonType\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.logonType\"}}},{\"count\":0,\"name\":\"data.win.eventdata.processId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.processId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.processId\"}}},{\"count\":0,\"name\":\"data.win.eventdata.status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.status\"}}},{\"count\":0,\"name\":\"data.win.eventdata.subStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.subStatus\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.subStatus\"}}},{\"count\":0,\"name\":\"data.win.eventdata.subjectLogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.subjectLogonId\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.subjectLogonId\"}}},{\"count\":0,\"name\":\"data.win.eventdata.subjectUserSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.subjectUserSid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.subjectUserSid\"}}},{\"count\":0,\"name\":\"data.win.eventdata.targetUserName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.eventdata.targetUserName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.eventdata.targetUserName\"}}},{\"count\":0,\"name\":\"data.win.system.channel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.channel\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.channel\"}}},{\"count\":0,\"name\":\"data.win.system.computer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.computer\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.computer\"}}},{\"count\":0,\"name\":\"data.win.system.eventID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.eventID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.eventID\"}}},{\"count\":0,\"name\":\"data.win.system.eventRecordID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.eventRecordID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.eventRecordID\"}}},{\"count\":0,\"name\":\"data.win.systems\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.systems\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.systems\"}}},{\"count\":0,\"name\":\"data.win.system.level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.level\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.level\"}}},{\"count\":0,\"name\":\"data.win.system.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.message\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.message\"}}},{\"count\":0,\"name\":\"data.win.system.opcode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.opcode\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.opcode\"}}},{\"count\":0,\"name\":\"data.win.system.processID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.processID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.processID\"}}},{\"count\":0,\"name\":\"data.win.system.providerGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.providerGuid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.providerGuid\"}}},{\"count\":0,\"name\":\"data.win.system.providerName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.providerName\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.providerName\"}}},{\"count\":0,\"name\":\"data.win.system.severityValue\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.severityValue\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.severityValue\"}}},{\"count\":0,\"name\":\"data.win.system.systemTime\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"data.win.system.task\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.task\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.task\"}}},{\"count\":0,\"name\":\"data.win.system.threadID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.threadID\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.threadID\"}}},{\"count\":0,\"name\":\"data.win.system.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"data.win.system.version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.win.system.version\"}}},{\"count\":0,\"name\":\"decoder.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"decoder.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"decoder.name\"}}},{\"count\":0,\"name\":\"decoder.parent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"decoder.parent\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"decoder.parent\"}}},{\"count\":0,\"name\":\"event.original\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"event.original\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.original\"}}},{\"count\":0,\"name\":\"fields.timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"full_log\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"full_log\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"full_log\"}}},{\"count\":0,\"name\":\"host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"host\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host\"}}},{\"count\":0,\"name\":\"id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"id\"}}},{\"count\":0,\"name\":\"input.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"input.type\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"input.type\"}}},{\"count\":0,\"name\":\"location\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"location\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"location\"}}},{\"count\":0,\"name\":\"manager.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"manager.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"manager.name\"}}},{\"count\":0,\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"count\":0,\"name\":\"path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"path\"}}},{\"count\":0,\"name\":\"predecoder.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"predecoder.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"predecoder.hostname\"}}},{\"count\":0,\"name\":\"predecoder.program_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"predecoder.program_name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"predecoder.program_name\"}}},{\"count\":0,\"name\":\"predecoder.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"predecoder.timestamp\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"predecoder.timestamp\"}}},{\"count\":0,\"name\":\"previous_output\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"previous_output\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"previous_output\"}}},{\"count\":0,\"name\":\"rule.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.description\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.description\"}}},{\"count\":0,\"name\":\"rule.details.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.category\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.category\"}}},{\"count\":0,\"name\":\"rule.details.decoded_as\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.decoded_as\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.decoded_as\"}}},{\"count\":0,\"name\":\"rule.details.frequency\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.frequency\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.frequency\"}}},{\"count\":0,\"name\":\"rule.details.group\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.group\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.group\"}}},{\"count\":0,\"name\":\"rule.details.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.hostname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.hostname\"}}},{\"count\":0,\"name\":\"rule.details.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.id\"}}},{\"count\":0,\"name\":\"rule.details.if_fts\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.if_fts\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.if_fts\"}}},{\"count\":0,\"name\":\"rule.details.if_matched_sid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.if_matched_sid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.if_matched_sid\"}}},{\"count\":0,\"name\":\"rule.details.if_sid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.if_sid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.if_sid\"}}},{\"count\":0,\"name\":\"rule.details.ignore\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.ignore\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.ignore\"}}},{\"count\":0,\"name\":\"rule.details.match\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.match\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.match\"}}},{\"count\":0,\"name\":\"rule.details.maxsize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.maxsize\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.maxsize\"}}},{\"count\":0,\"name\":\"rule.details.noalert\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.noalert\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.noalert\"}}},{\"count\":0,\"name\":\"rule.details.regex\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.regex\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.regex\"}}},{\"count\":0,\"name\":\"rule.details.same_source_ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.same_source_ip\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.same_source_ip\"}}},{\"count\":0,\"name\":\"rule.details.timeframe\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.timeframe\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.timeframe\"}}},{\"count\":0,\"name\":\"rule.details.user\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.details.user\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.details.user\"}}},{\"count\":0,\"name\":\"rule.filename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.filename\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.filename\"}}},{\"count\":0,\"name\":\"rule.firedtimes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.frequency\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.gdpr\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.gdpr\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.gdpr\"}}},{\"count\":0,\"name\":\"rule.gpg13\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.gpg13\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.gpg13\"}}},{\"count\":0,\"name\":\"rule.groups\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.groups\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.groups\"}}},{\"count\":0,\"name\":\"rule.hipaa\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.hipaa\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.hipaa\"}}},{\"count\":0,\"name\":\"rule.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.id\"}}},{\"count\":0,\"name\":\"rule.info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.info\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.info\"}}},{\"count\":0,\"name\":\"rule.level\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.mail\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"rule.mitre.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.mitre.id\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.mitre.id\"}}},{\"count\":0,\"name\":\"rule.mitre.tactic\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.mitre.tactic\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.mitre.tactic\"}}},{\"count\":0,\"name\":\"rule.mitre.technique\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.mitre.technique\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.mitre.technique\"}}},{\"count\":0,\"name\":\"rule.nist_800_53\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.nist_800_53\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.nist_800_53\"}}},{\"count\":0,\"name\":\"rule.pci\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.pci\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.pci\"}}},{\"count\":0,\"name\":\"rule.pci_dss\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.pci_dss\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.pci_dss\"}}},{\"count\":0,\"name\":\"rule.relative_dirname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.relative_dirname\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.relative_dirname\"}}},{\"count\":0,\"name\":\"rule.status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.status\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.status\"}}},{\"count\":0,\"name\":\"rule.tsc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"rule.tsc\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.tsc\"}}},{\"count\":0,\"name\":\"syscheck.audit.effective_user.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.audit.effective_user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.audit.effective_user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.audit.effective_user.name\"}}},{\"count\":0,\"name\":\"syscheck.audit.group.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.audit.group.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.audit.group.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.audit.group.name\"}}},{\"count\":0,\"name\":\"syscheck.audit.process.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.audit.process.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.audit.process.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.audit.process.name\"}}},{\"count\":0,\"name\":\"syscheck.audit.process.ppid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.audit.user.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.audit.user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.audit.user.name\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.audit.user.name\"}}},{\"count\":0,\"name\":\"syscheck.changed_attributes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.changed_attributes\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.changed_attributes\"}}},{\"count\":0,\"name\":\"syscheck.event\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.event\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.event\"}}},{\"count\":0,\"name\":\"syscheck.gid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.gid_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.gid_after\"}}},{\"count\":0,\"name\":\"syscheck.gname_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.gname_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.gname_after\"}}},{\"count\":0,\"name\":\"syscheck.inode_after\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.inode_before\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.md5_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.md5_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.md5_after\"}}},{\"count\":0,\"name\":\"syscheck.mtime_after\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.mtime_before\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.path\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.path\"}}},{\"count\":0,\"name\":\"syscheck.perm_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.perm_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.perm_after\"}}},{\"count\":0,\"name\":\"syscheck.sha1_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.sha1_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.sha1_after\"}}},{\"count\":0,\"name\":\"syscheck.sha256_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.sha256_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.sha256_after\"}}},{\"count\":0,\"name\":\"syscheck.size_after\",\"type\":\"number\",\"esTypes\":[\"long\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"count\":0,\"name\":\"syscheck.tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.tags\"}}},{\"count\":0,\"name\":\"syscheck.uid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.uid_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.uid_after\"}}},{\"count\":0,\"name\":\"syscheck.uname_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"syscheck.uname_after\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syscheck.uname_after\"}}},{\"count\":0,\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"count\":0,\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}},{\"count\":0,\"name\":\"timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]","timeFieldName":"timestamp","title":"wazuh-alerts-4.x*"},"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","migrationVersion":{"index-pattern":"7.6.0"},"references":[],"type":"index-pattern","updated_at":"2023-04-25T12:32:41.780Z","version":"WzEsMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Events by source over time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Events by source over time\",\"type\":\"area\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.aws.source\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"area\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"interpolate\":\"cardinal\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"left\",\"times\":[],\"addTimeMarker\":false,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"labels\":{}}}"},"id":"af813ab0-c74b-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzIsMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sources","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sources\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.aws.source\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}"},"id":"bf8f2f20-c74b-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzMsMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Events","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Events\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"count\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.aws.source\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.aws.source\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.description\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.description\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.level\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"06ecaf50-c74c-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzQsMV0="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"2.6.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":31,\"h\":15,\"i\":\"0924fcf8-b0d4-4f61-8f3a-da19850bc9d1\"},\"panelIndex\":\"0924fcf8-b0d4-4f61-8f3a-da19850bc9d1\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.6.0\",\"gridData\":{\"x\":31,\"y\":0,\"w\":17,\"h\":15,\"i\":\"38fdffd3-ddbf-4d98-9904-877c98ecfa1b\"},\"panelIndex\":\"38fdffd3-ddbf-4d98-9904-877c98ecfa1b\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"2.6.0\",\"gridData\":{\"x\":0,\"y\":15,\"w\":48,\"h\":15,\"i\":\"7930046b-8b17-4906-a0fe-ba2cc3ae9f15\"},\"panelIndex\":\"7930046b-8b17-4906-a0fe-ba2cc3ae9f15\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"}]","timeRestore":false,"title":"wazuh-amazon-aws-v1.0","version":1},"id":"d9881710-c74c-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"af813ab0-c74b-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"bf8f2f20-c74b-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"06ecaf50-c74c-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzUsMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top 5 events","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Top 5 events\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.docker.Action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}"},"id":"6987a560-c74d-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzYsMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Events by source over time - Docker","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Events by source over time - Docker\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-7d\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.docker.Type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"},"id":"ad3b5770-c74d-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzcsMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Events - Docker","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Events - Docker\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"count\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.docker.Type\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.docker.type\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.docker.Actor.ID\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.docker.actor.id\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.docker.Action\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.docker.action\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.description\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.description\"},\"schema\":\"bucket\"},{\"id\":\"8\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.level\"},\"schema\":\"bucket\"},{\"id\":\"9\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"row\":true}}"},"id":"199c8ce0-c74e-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzgsMV0="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"0d9f05f5-49cc-46cd-8855-b9540d3fa606\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"0d9f05f5-49cc-46cd-8855-b9540d3fa606\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"a0d416d1-138e-41be-9576-79feedb9109b\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"a0d416d1-138e-41be-9576-79feedb9109b\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"d1117074-306a-4615-94f2-3b60602cb5a7\",\"w\":48,\"x\":0,\"y\":15},\"panelIndex\":\"d1117074-306a-4615-94f2-3b60602cb5a7\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_2\"}]","timeRestore":false,"title":"wazuh-docker-listener-v1.0","version":1},"id":"38d43040-c74e-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"6987a560-c74d-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"ad3b5770-c74d-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"199c8ce0-c74e-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzksMV0="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Alert groups","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Alert groups\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.groups\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}"},"id":"a8a6e5c0-c74e-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzEwLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Events - Incident response","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Events - Incident response\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"rule.groups:audit\",\"language\":\"lucene\"},\"label\":\"audit\"},{\"input\":{\"query\":\"rule.groups:audit_command\",\"language\":\"lucene\"},\"label\":\"audit_command\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"},"id":"52998510-c74f-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzExLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Incident response","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Incident response\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"count\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.groups\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.groups\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.description\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.description\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.level\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"a3b734b0-c74f-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzEyLDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"3507da76-6874-4aa3-8968-3e0ddd11aa19\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"3507da76-6874-4aa3-8968-3e0ddd11aa19\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"b0a18b5d-447b-4e88-acd2-e14d22289a28\",\"w\":34,\"x\":14,\"y\":0},\"panelIndex\":\"b0a18b5d-447b-4e88-acd2-e14d22289a28\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":13,\"i\":\"05aa4c38-33a5-4fec-a35a-e0bb200679c1\",\"w\":48,\"x\":0,\"y\":15},\"panelIndex\":\"05aa4c38-33a5-4fec-a35a-e0bb200679c1\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_2\"}]","timeRestore":false,"title":"wazuh-incident-response-v1.0","version":1},"id":"f70272b0-c74f-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"a8a6e5c0-c74e-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"52998510-c74f-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"a3b734b0-c74f-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzEzLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Critical severity alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Critical severity alerts\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Critical Severity Alerts\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"data.vulnerability.severity:Critical\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":1},{\"from\":1,\"to\":2},{\"from\":2,\"to\":3}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"f578e750-c761-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzE0LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"High Severity Alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"High Severity Alerts\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"High Severity Alerts\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"data.vulnerability.severity:High\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Blues\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":1},{\"from\":1,\"to\":2},{\"from\":2,\"to\":3}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"2f6e17a0-c762-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzE1LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Medium Severity Alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Medium Severity Alerts\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Medium Severity Alerts\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"data.vulnerability.severity:Medium\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Greens\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":1},{\"from\":1,\"to\":2},{\"from\":2,\"to\":3}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"3e23cf10-c762-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzE2LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Alert severity","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Alert severity\",\"type\":\"area\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.vulnerability.severity\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"area\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"interpolate\":\"cardinal\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"labels\":{}}}"},"id":"6191a210-c762-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzE3LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Low Severity Alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Low Severity Alerts\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Low Severity Alerts\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"data.vulnerability.severity:Low\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Greys\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":1},{\"from\":1,\"to\":2},{\"from\":2,\"to\":3}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60},\"outline\":true}}}"},"id":"456d3220-c762-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzE4LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Vulnerabilities heat map","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Vulnerabilities heat map\",\"type\":\"heatmap\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.vulnerability.severity\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"heatmap\",\"addTooltip\":true,\"addLegend\":true,\"enableHover\":false,\"legendPosition\":\"right\",\"times\":[],\"colorsNumber\":4,\"colorSchema\":\"Greens\",\"setColorRange\":false,\"colorsRange\":[],\"invertColors\":false,\"percentageMode\":false,\"valueAxes\":[{\"show\":false,\"id\":\"ValueAxis-1\",\"type\":\"value\",\"scale\":{\"type\":\"linear\",\"defaultYExtents\":false},\"labels\":{\"show\":false,\"rotate\":0,\"overwriteColor\":false,\"color\":\"black\"}}]}}"},"id":"4458bf70-c763-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzE5LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Vulnerabilities events","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Vulnerabilities events\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.vulnerability.cve\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.vulnerability.cve\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.vulnerability.package.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.vulnerability.package.name\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.vulnerability.package.version\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.vulnerability.package.version\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.vulnerability.severity\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"data.vulnerability.severity\"},\"schema\":\"bucket\"},{\"id\":\"8\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"d38ba460-c762-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzIwLDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":8,\"i\":\"c4678c05-c58e-498f-9fb8-86b670931003\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"c4678c05-c58e-498f-9fb8-86b670931003\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":8,\"i\":\"594ca739-c190-471b-b2b6-22e69c233d1b\",\"w\":8,\"x\":16,\"y\":0},\"panelIndex\":\"594ca739-c190-471b-b2b6-22e69c233d1b\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":8,\"i\":\"d01a6629-e443-49cf-91a3-c5638aff61bd\",\"w\":8,\"x\":24,\"y\":0},\"panelIndex\":\"d01a6629-e443-49cf-91a3-c5638aff61bd\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"bd0de8bc-0485-449e-9855-59aedd50bc43\",\"w\":24,\"x\":0,\"y\":8},\"panelIndex\":\"bd0de8bc-0485-449e-9855-59aedd50bc43\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":8,\"i\":\"c0bdf80f-5074-40b7-afe5-f08a5e9c3014\",\"w\":8,\"x\":32,\"y\":0},\"panelIndex\":\"c0bdf80f-5074-40b7-afe5-f08a5e9c3014\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{\"vis\":null},\"gridData\":{\"h\":15,\"i\":\"7fa7010e-6f7c-47ab-88dd-4bb2233779d0\",\"w\":24,\"x\":24,\"y\":8},\"panelIndex\":\"7fa7010e-6f7c-47ab-88dd-4bb2233779d0\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_5\"},{\"embeddableConfig\":{\"hidePanelTitles\":false,\"title\":\"Events\"},\"gridData\":{\"h\":16,\"i\":\"75d0531f-26fe-4436-a32d-b043b362e701\",\"w\":48,\"x\":0,\"y\":23},\"panelIndex\":\"75d0531f-26fe-4436-a32d-b043b362e701\",\"title\":\"Events\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"wazuh-vulnerabilities-v1.0","version":1},"id":"4e776290-c763-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"f578e750-c761-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"2f6e17a0-c762-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"3e23cf10-c762-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"},{"id":"6191a210-c762-11ed-a68b-6f8500ccee6f","name":"panel_3","type":"visualization"},{"id":"456d3220-c762-11ed-a68b-6f8500ccee6f","name":"panel_4","type":"visualization"},{"id":"4458bf70-c763-11ed-a68b-6f8500ccee6f","name":"panel_5","type":"visualization"},{"id":"d38ba460-c762-11ed-a68b-6f8500ccee6f","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzIxLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Total alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Total alerts\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Total\"},\"schema\":\"metric\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":true,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Blues\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":50},{\"from\":50,\"to\":75},{\"from\":75,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"6e52b9a0-c75b-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzIyLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Level 12 or above alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Level 12 or above alerts\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Level 12 alerts\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"rule.level:[12 TO *]\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"vertical\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Yellow to Red\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":1},{\"from\":1,\"to\":2},{\"from\":2,\"to\":3}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"53c84aa0-c75b-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzIzLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Authentication failure","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Authentication failure\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Authentication failure\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"rule.groups:authentication_failed OR rule.groups:win_authentication_failed OR rule.groups:authentication_failures\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":50},{\"from\":50,\"to\":75},{\"from\":75,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"bdd13830-c75b-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzI0LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Authentication success","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Authentication success\",\"type\":\"gauge\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"Authentication success\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"rule.groups:authentication_success\",\"language\":\"lucene\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"alignment\":\"automatic\",\"extendRange\":false,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Greens\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":1},{\"from\":1,\"to\":2},{\"from\":2,\"to\":3}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"rgba(105,112,125,0.2)\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"rgba(105,112,125,0.2)\",\"bgColor\":true,\"subText\":\"\",\"fontSize\":60}}}}"},"id":"fe649770-c75b-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzI1LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Alert level evolution","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Alert level evolution\",\"type\":\"area\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"labels\":{}}}"},"id":"2911c5f0-c75d-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzI2LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top MITRE ATT&CKS","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Top MITRE ATT&CKS\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.mitre.technique\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}}}"},"id":"0ce036a0-c75d-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzI3LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security alerts main","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security alerts main\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.mitre.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.mitre.id\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.mitre.tactic\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.mitre.tactic\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.description\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.description\"},\"schema\":\"bucket\"},{\"id\":\"8\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.level\"},\"schema\":\"bucket\"},{\"id\":\"9\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"8d9dc120-c75f-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzI4LDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"2.6.0\",\"gridData\":{\"h\":7,\"i\":\"e44a9c01-a2c9-438b-a154-96371c1e2891\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"e44a9c01-a2c9-438b-a154-96371c1e2891\",\"embeddableConfig\":{\"vis\":null},\"panelRefName\":\"panel_0\"},{\"version\":\"2.6.0\",\"gridData\":{\"h\":7,\"i\":\"097d0314-72ee-4cfb-8a0b-b5a61fd76065\",\"w\":8,\"x\":16,\"y\":0},\"panelIndex\":\"097d0314-72ee-4cfb-8a0b-b5a61fd76065\",\"embeddableConfig\":{\"vis\":null},\"panelRefName\":\"panel_1\"},{\"version\":\"2.6.0\",\"gridData\":{\"h\":7,\"i\":\"1e0deab6-69be-4a8b-8945-9e52bc285425\",\"w\":8,\"x\":24,\"y\":0},\"panelIndex\":\"1e0deab6-69be-4a8b-8945-9e52bc285425\",\"embeddableConfig\":{\"vis\":null},\"panelRefName\":\"panel_2\"},{\"version\":\"2.6.0\",\"gridData\":{\"h\":7,\"i\":\"54fc31bf-4bf5-4433-be5e-cd4c60862cea\",\"w\":8,\"x\":32,\"y\":0},\"panelIndex\":\"54fc31bf-4bf5-4433-be5e-cd4c60862cea\",\"embeddableConfig\":{\"vis\":null},\"panelRefName\":\"panel_3\"},{\"version\":\"2.6.0\",\"gridData\":{\"h\":14,\"i\":\"7ed5bb88-5819-4b2b-8989-8e8a7cc0424e\",\"w\":32,\"x\":0,\"y\":7},\"panelIndex\":\"7ed5bb88-5819-4b2b-8989-8e8a7cc0424e\",\"embeddableConfig\":{\"title\":\"Alert level evolution - Top 5 agents\",\"hidePanelTitles\":false},\"title\":\"Alert level evolution - Top 5 agents\",\"panelRefName\":\"panel_4\"},{\"version\":\"2.6.0\",\"gridData\":{\"h\":14,\"i\":\"fd99c43a-4b02-47b8-b89f-9e1aaf56d158\",\"w\":16,\"x\":32,\"y\":7},\"panelIndex\":\"fd99c43a-4b02-47b8-b89f-9e1aaf56d158\",\"embeddableConfig\":{\"title\":\"Top Mitre ATT&K tactics\",\"hidePanelTitles\":false},\"title\":\"Top Mitre ATT&K tactics\",\"panelRefName\":\"panel_5\"},{\"version\":\"2.6.0\",\"gridData\":{\"h\":18,\"i\":\"a30fe8ed-edb1-4531-9735-7e5fe8dfb61b\",\"w\":48,\"x\":0,\"y\":21},\"panelIndex\":\"a30fe8ed-edb1-4531-9735-7e5fe8dfb61b\",\"embeddableConfig\":{\"title\":\"Security alerts\",\"hidePanelTitles\":false},\"title\":\"Security alerts\",\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"wazuh-security-events-v1.0","version":1},"id":"a22b3850-c761-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"6e52b9a0-c75b-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"53c84aa0-c75b-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"bdd13830-c75b-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"},{"id":"fe649770-c75b-11ed-a68b-6f8500ccee6f","name":"panel_3","type":"visualization"},{"id":"2911c5f0-c75d-11ed-a68b-6f8500ccee6f","name":"panel_4","type":"visualization"},{"id":"0ce036a0-c75d-11ed-a68b-6f8500ccee6f","name":"panel_5","type":"visualization"},{"id":"8d9dc120-c75f-11ed-a68b-6f8500ccee6f","name":"panel_6","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzI5LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Emotet malware activity","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Emotet malware activity\",\"type\":\"area\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"filters\",\"params\":{\"filters\":[{\"input\":{\"query\":\"rule.groups:\\\"rootcheck\\\"\",\"language\":\"kuery\"},\"label\":\"\"}]},\"schema\":\"group\"}],\"params\":{\"type\":\"area\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\",\"setYExtents\":false,\"defaultYExtents\":false},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"area\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"interpolate\":\"linear\",\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"labels\":{}}}"},"id":"432de3c0-c752-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzMwLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Rootkits activity over time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Rootkits activity over time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"data.title\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":3,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"},"id":"a7146210-c752-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzMxLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security alerts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security alerts\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"count\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"8\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.mitre.technique\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.mitre.tactic\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.mitre.tactic\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.level\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.description\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.description\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"eb787860-c752-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzMyLDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"4653581e-fa04-47ea-a762-e404e5fab8d1\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"4653581e-fa04-47ea-a762-e404e5fab8d1\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"0b6caedd-1e6e-4a5d-8904-13343c868083\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"0b6caedd-1e6e-4a5d-8904-13343c868083\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"ad008586-6a43-4c7b-8a41-93a85d40ee6f\",\"w\":48,\"x\":0,\"y\":15},\"panelIndex\":\"ad008586-6a43-4c7b-8a41-93a85d40ee6f\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_2\"}]","timeRestore":false,"title":"wazuh-malware-detection-v1.0","version":1},"id":"f5c5a590-c752-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"432de3c0-c752-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"a7146210-c752-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"eb787860-c752-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzMzLDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"PCI DSS requirements","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"PCI DSS requirements\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"radius\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.pci_dss\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":false,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"radiusRatio\":50}}"},"id":"e9144240-c755-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzM0LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Requirements by agent","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Requirements by agent\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.pci_dss\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Requirements\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"},"id":"300f7e30-c756-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzM1LDFd"} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Recent events - PCI DSS","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Recent events - PCI DSS\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{\"customLabel\":\"count\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{},\"customLabel\":\"timestamp\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"agent.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"agent.name\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.pci_dss\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.pci_dss\"},\"schema\":\"bucket\"},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.description\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.description\"},\"schema\":\"bucket\"},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.level\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.level\"},\"schema\":\"bucket\"},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"rule.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"rule.id\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"id":"767e3190-c756-11ed-a68b-6f8500ccee6f","migrationVersion":{"visualization":"7.10.0"},"references":[{"id":"60482990-c74b-11ed-a68b-6f8500ccee6f","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2023-04-25T12:32:41.780Z","version":"WzM2LDFd"} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"c9e8317f-c49c-4dbc-ae0b-8a7ad4e29f01\",\"w\":24,\"x\":0,\"y\":0},\"panelIndex\":\"c9e8317f-c49c-4dbc-ae0b-8a7ad4e29f01\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":15,\"i\":\"910f3189-2b70-402b-a1b6-92192307122f\",\"w\":24,\"x\":24,\"y\":0},\"panelIndex\":\"910f3189-2b70-402b-a1b6-92192307122f\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":17,\"i\":\"7e59bccf-af12-4898-8165-ef9ff2bec6de\",\"w\":48,\"x\":0,\"y\":15},\"panelIndex\":\"7e59bccf-af12-4898-8165-ef9ff2bec6de\",\"version\":\"2.6.0\",\"panelRefName\":\"panel_2\"}]","timeRestore":false,"title":"wazuh-pci-dss-v1.0","version":1},"id":"7f10dd80-c756-11ed-a68b-6f8500ccee6f","migrationVersion":{"dashboard":"7.9.3"},"references":[{"id":"e9144240-c755-11ed-a68b-6f8500ccee6f","name":"panel_0","type":"visualization"},{"id":"300f7e30-c756-11ed-a68b-6f8500ccee6f","name":"panel_1","type":"visualization"},{"id":"767e3190-c756-11ed-a68b-6f8500ccee6f","name":"panel_2","type":"visualization"}],"type":"dashboard","updated_at":"2023-04-25T12:32:41.780Z","version":"WzM3LDFd"} -{"exportedCount":37,"missingRefCount":0,"missingReferences":[]} diff --git a/integrations/opensearch/logstash/pipeline/indexer-to-opensearch.conf b/integrations/opensearch/logstash/pipeline/indexer-to-opensearch.conf deleted file mode 100644 index 74d88ae5428f7..0000000000000 --- a/integrations/opensearch/logstash/pipeline/indexer-to-opensearch.conf +++ /dev/null @@ -1,38 +0,0 @@ -input { - opensearch { - hosts => ["wazuh.indexer:9200"] - user => "admin" - password => "admin" - index => "wazuh-alerts-4.x-*" - ssl => true - ca_file => "/etc/ssl/root-ca.pem" - query => '{ - "query": { - "range": { - "@timestamp": { - "gt": "now-1m" - } - } - } - }' - schedule => "* * * * *" - } -} -output { - opensearch { - hosts => ["opensearch.node:9200"] - auth_type => { - type => 'basic' - user => 'admin' - password => 'admin' - } - index => "wazuh-alerts-4.x-%{+YYYY.MM.dd}" - ssl => true - cacert => "/etc/ssl/root-ca.pem" - template => '/usr/share/logstash/pipeline/os_template.json' - template_name => 'wazuh' - template_overwrite => true - legacy_template => false - } -} - diff --git a/integrations/opensearch/logstash/pipeline/os_template.json b/integrations/opensearch/logstash/pipeline/os_template.json deleted file mode 100644 index 1fee33afc4da8..0000000000000 --- a/integrations/opensearch/logstash/pipeline/os_template.json +++ /dev/null @@ -1,2039 +0,0 @@ -{ - "index_patterns": "wazuh-*", - "template": { - "settings": { - "index": { - "routing": { - "allocation": { - "include": { - "_tier_preference": "data_content" - } - } - }, - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "refresh_interval": "5s", - "number_of_shards": "3", - "auto_expand_replicas": "0-1", - "query": { - "default_field": [ - "GeoLocation.city_name", - "GeoLocation.continent_code", - "GeoLocation.country_code2", - "GeoLocation.country_code3", - "GeoLocation.country_name", - "GeoLocation.ip", - "GeoLocation.postal_code", - "GeoLocation.real_region_name", - "GeoLocation.region_name", - "GeoLocation.timezone", - "agent.id", - "agent.ip", - "agent.name", - "cluster.name", - "cluster.node", - "command", - "data", - "data.action", - "data.audit", - "data.audit.acct", - "data.audit.arch", - "data.audit.auid", - "data.audit.command", - "data.audit.cwd", - "data.audit.dev", - "data.audit.directory.inode", - "data.audit.directory.mode", - "data.audit.directory.name", - "data.audit.egid", - "data.audit.enforcing", - "data.audit.euid", - "data.audit.exe", - "data.audit.execve.a0", - "data.audit.execve.a1", - "data.audit.execve.a2", - "data.audit.execve.a3", - "data.audit.exit", - "data.audit.file.inode", - "data.audit.file.mode", - "data.audit.file.name", - "data.audit.fsgid", - "data.audit.fsuid", - "data.audit.gid", - "data.audit.id", - "data.audit.key", - "data.audit.list", - "data.audit.old-auid", - "data.audit.old-ses", - "data.audit.old_enforcing", - "data.audit.old_prom", - "data.audit.op", - "data.audit.pid", - "data.audit.ppid", - "data.audit.prom", - "data.audit.res", - "data.audit.session", - "data.audit.sgid", - "data.audit.srcip", - "data.audit.subj", - "data.audit.success", - "data.audit.suid", - "data.audit.syscall", - "data.audit.tty", - "data.audit.uid", - "data.aws.accountId", - "data.aws.account_id", - "data.aws.action", - "data.aws.actor", - "data.aws.aws_account_id", - "data.aws.description", - "data.aws.dstport", - "data.aws.errorCode", - "data.aws.errorMessage", - "data.aws.eventID", - "data.aws.eventName", - "data.aws.eventSource", - "data.aws.eventType", - "data.aws.id", - "data.aws.name", - "data.aws.requestParameters.accessKeyId", - "data.aws.requestParameters.bucketName", - "data.aws.requestParameters.gatewayId", - "data.aws.requestParameters.groupDescription", - "data.aws.requestParameters.groupId", - "data.aws.requestParameters.groupName", - "data.aws.requestParameters.host", - "data.aws.requestParameters.hostedZoneId", - "data.aws.requestParameters.instanceId", - "data.aws.requestParameters.instanceProfileName", - "data.aws.requestParameters.loadBalancerName", - "data.aws.requestParameters.loadBalancerPorts", - "data.aws.requestParameters.masterUserPassword", - "data.aws.requestParameters.masterUsername", - "data.aws.requestParameters.name", - "data.aws.requestParameters.natGatewayId", - "data.aws.requestParameters.networkAclId", - "data.aws.requestParameters.path", - "data.aws.requestParameters.policyName", - "data.aws.requestParameters.port", - "data.aws.requestParameters.stackId", - "data.aws.requestParameters.stackName", - "data.aws.requestParameters.subnetId", - "data.aws.requestParameters.subnetIds", - "data.aws.requestParameters.volumeId", - "data.aws.requestParameters.vpcId", - "data.aws.resource.accessKeyDetails.accessKeyId", - "data.aws.resource.accessKeyDetails.principalId", - "data.aws.resource.accessKeyDetails.userName", - "data.aws.resource.instanceDetails.instanceId", - "data.aws.resource.instanceDetails.instanceState", - "data.aws.resource.instanceDetails.networkInterfaces.privateDnsName", - "data.aws.resource.instanceDetails.networkInterfaces.publicDnsName", - "data.aws.resource.instanceDetails.networkInterfaces.subnetId", - "data.aws.resource.instanceDetails.networkInterfaces.vpcId", - "data.aws.resource.instanceDetails.tags.value", - "data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId", - "data.aws.responseElements.description", - "data.aws.responseElements.instanceId", - "data.aws.responseElements.instances.instanceId", - "data.aws.responseElements.instancesSet.items.instanceId", - "data.aws.responseElements.listeners.port", - "data.aws.responseElements.loadBalancerName", - "data.aws.responseElements.loadBalancers.vpcId", - "data.aws.responseElements.loginProfile.userName", - "data.aws.responseElements.networkAcl.vpcId", - "data.aws.responseElements.ownerId", - "data.aws.responseElements.publicIp", - "data.aws.responseElements.user.userId", - "data.aws.responseElements.user.userName", - "data.aws.responseElements.volumeId", - "data.aws.service.serviceName", - "data.aws.severity", - "data.aws.source", - "data.aws.sourceIPAddress", - "data.aws.srcport", - "data.aws.userIdentity.accessKeyId", - "data.aws.userIdentity.accountId", - "data.aws.userIdentity.userName", - "data.aws.vpcEndpointId", - "data.command", - "data.data", - "data.docker.Actor.Attributes.container", - "data.docker.Actor.Attributes.image", - "data.docker.Actor.Attributes.name", - "data.docker.Actor.ID", - "data.docker.id", - "data.docker.message", - "data.docker.status", - "data.dstip", - "data.dstport", - "data.dstuser", - "data.extra_data", - "data.hardware.serial", - "data.id", - "data.integration", - "data.netinfo.iface.adapter", - "data.netinfo.iface.ipv4.address", - "data.netinfo.iface.ipv6.address", - "data.netinfo.iface.mac", - "data.netinfo.iface.name", - "data.os.architecture", - "data.os.build", - "data.os.codename", - "data.os.hostname", - "data.os.major", - "data.os.minor", - "data.os.name", - "data.os.platform", - "data.os.release", - "data.os.release_version", - "data.os.sysname", - "data.os.version", - "data.oscap.check.description", - "data.oscap.check.id", - "data.oscap.check.identifiers", - "data.oscap.check.oval.id", - "data.oscap.check.rationale", - "data.oscap.check.references", - "data.oscap.check.result", - "data.oscap.check.severity", - "data.oscap.check.title", - "data.oscap.scan.benchmark.id", - "data.oscap.scan.content", - "data.oscap.scan.id", - "data.oscap.scan.profile.id", - "data.oscap.scan.profile.title", - "data.osquery.columns.address", - "data.osquery.columns.command", - "data.osquery.columns.description", - "data.osquery.columns.dst_ip", - "data.osquery.columns.gid", - "data.osquery.columns.hostname", - "data.osquery.columns.md5", - "data.osquery.columns.path", - "data.osquery.columns.sha1", - "data.osquery.columns.sha256", - "data.osquery.columns.src_ip", - "data.osquery.columns.user", - "data.osquery.columns.username", - "data.osquery.name", - "data.osquery.pack", - "data.port.process", - "data.port.protocol", - "data.port.state", - "data.process.args", - "data.process.cmd", - "data.process.egroup", - "data.process.euser", - "data.process.fgroup", - "data.process.name", - "data.process.rgroup", - "data.process.ruser", - "data.process.sgroup", - "data.process.state", - "data.process.suser", - "data.program.architecture", - "data.program.description", - "data.program.format", - "data.program.location", - "data.program.multiarch", - "data.program.name", - "data.program.priority", - "data.program.section", - "data.program.source", - "data.program.vendor", - "data.program.version", - "data.protocol", - "data.pwd", - "data.sca", - "data.sca.check.compliance.cis", - "data.sca.check.compliance.cis_csc", - "data.sca.check.compliance.pci_dss", - "data.sca.check.compliance.hipaa", - "data.sca.check.compliance.nist_800_53", - "data.sca.check.description", - "data.sca.check.directory", - "data.sca.check.file", - "data.sca.check.id", - "data.sca.check.previous_result", - "data.sca.check.process", - "data.sca.check.rationale", - "data.sca.check.reason", - "data.sca.check.references", - "data.sca.check.registry", - "data.sca.check.remediation", - "data.sca.check.result", - "data.sca.check.status", - "data.sca.check.title", - "data.sca.description", - "data.sca.file", - "data.sca.invalid", - "data.sca.name", - "data.sca.policy", - "data.sca.policy_id", - "data.sca.scan_id", - "data.sca.total_checks", - "data.script", - "data.src_ip", - "data.src_port", - "data.srcip", - "data.srcport", - "data.srcuser", - "data.status", - "data.system_name", - "data.title", - "data.tty", - "data.uid", - "data.url", - "data.virustotal.description", - "data.virustotal.error", - "data.virustotal.found", - "data.virustotal.permalink", - "data.virustotal.scan_date", - "data.virustotal.sha1", - "data.virustotal.source.alert_id", - "data.virustotal.source.file", - "data.virustotal.source.md5", - "data.virustotal.source.sha1", - "data.vulnerability.cve", - "data.vulnerability.cvss.cvss2.base_score", - "data.vulnerability.cvss.cvss2.exploitability_score", - "data.vulnerability.cvss.cvss2.impact_score", - "data.vulnerability.cvss.cvss2.vector.access_complexity", - "data.vulnerability.cvss.cvss2.vector.attack_vector", - "data.vulnerability.cvss.cvss2.vector.authentication", - "data.vulnerability.cvss.cvss2.vector.availability", - "data.vulnerability.cvss.cvss2.vector.confidentiality_impact", - "data.vulnerability.cvss.cvss2.vector.integrity_impact", - "data.vulnerability.cvss.cvss2.vector.privileges_required", - "data.vulnerability.cvss.cvss2.vector.scope", - "data.vulnerability.cvss.cvss2.vector.user_interaction", - "data.vulnerability.cvss.cvss3.base_score", - "data.vulnerability.cvss.cvss3.exploitability_score", - "data.vulnerability.cvss.cvss3.impact_score", - "data.vulnerability.cvss.cvss3.vector.access_complexity", - "data.vulnerability.cvss.cvss3.vector.attack_vector", - "data.vulnerability.cvss.cvss3.vector.authentication", - "data.vulnerability.cvss.cvss3.vector.availability", - "data.vulnerability.cvss.cvss3.vector.confidentiality_impact", - "data.vulnerability.cvss.cvss3.vector.integrity_impact", - "data.vulnerability.cvss.cvss3.vector.privileges_required", - "data.vulnerability.cvss.cvss3.vector.scope", - "data.vulnerability.cvss.cvss3.vector.user_interaction", - "data.vulnerability.cwe_reference", - "data.vulnerability.package.source", - "data.vulnerability.package.architecture", - "data.vulnerability.package.condition", - "data.vulnerability.package.generated_cpe", - "data.vulnerability.package.name", - "data.vulnerability.package.version", - "data.vulnerability.rationale", - "data.vulnerability.severity", - "data.vulnerability.title", - "data.vulnerability.assigner", - "data.vulnerability.cve_version", - "data.win.eventdata.auditPolicyChanges", - "data.win.eventdata.auditPolicyChangesId", - "data.win.eventdata.binary", - "data.win.eventdata.category", - "data.win.eventdata.categoryId", - "data.win.eventdata.data", - "data.win.eventdata.image", - "data.win.eventdata.ipAddress", - "data.win.eventdata.ipPort", - "data.win.eventdata.keyName", - "data.win.eventdata.logonGuid", - "data.win.eventdata.logonProcessName", - "data.win.eventdata.operation", - "data.win.eventdata.parentImage", - "data.win.eventdata.processId", - "data.win.eventdata.processName", - "data.win.eventdata.providerName", - "data.win.eventdata.returnCode", - "data.win.eventdata.service", - "data.win.eventdata.status", - "data.win.eventdata.subcategory", - "data.win.eventdata.subcategoryGuid", - "data.win.eventdata.subcategoryId", - "data.win.eventdata.subjectDomainName", - "data.win.eventdata.subjectLogonId", - "data.win.eventdata.subjectUserName", - "data.win.eventdata.subjectUserSid", - "data.win.eventdata.targetDomainName", - "data.win.eventdata.targetLinkedLogonId", - "data.win.eventdata.targetLogonId", - "data.win.eventdata.targetUserName", - "data.win.eventdata.targetUserSid", - "data.win.eventdata.workstationName", - "data.win.system.channel", - "data.win.system.computer", - "data.win.system.eventID", - "data.win.system.eventRecordID", - "data.win.system.eventSourceName", - "data.win.system.keywords", - "data.win.system.level", - "data.win.system.message", - "data.win.system.opcode", - "data.win.system.processID", - "data.win.system.providerGuid", - "data.win.system.providerName", - "data.win.system.securityUserID", - "data.win.system.severityValue", - "data.win.system.userID", - "decoder.ftscomment", - "decoder.name", - "decoder.parent", - "full_log", - "host", - "id", - "input", - "location", - "manager.name", - "message", - "offset", - "predecoder.hostname", - "predecoder.program_name", - "previous_log", - "previous_output", - "program_name", - "rule.cis", - "rule.cve", - "rule.description", - "rule.gdpr", - "rule.gpg13", - "rule.groups", - "rule.id", - "rule.info", - "rule.mitre.id", - "rule.mitre.tactic", - "rule.mitre.technique", - "rule.pci_dss", - "rule.hipaa", - "rule.nist_800_53", - "syscheck.audit.effective_user.id", - "syscheck.audit.effective_user.name", - "syscheck.audit.group.id", - "syscheck.audit.group.name", - "syscheck.audit.login_user.id", - "syscheck.audit.login_user.name", - "syscheck.audit.process.id", - "syscheck.audit.process.name", - "syscheck.audit.process.ppid", - "syscheck.audit.user.id", - "syscheck.audit.user.name", - "syscheck.diff", - "syscheck.event", - "syscheck.gid_after", - "syscheck.gid_before", - "syscheck.gname_after", - "syscheck.gname_before", - "syscheck.inode_after", - "syscheck.inode_before", - "syscheck.md5_after", - "syscheck.md5_before", - "syscheck.path", - "syscheck.mode", - "syscheck.perm_after", - "syscheck.perm_before", - "syscheck.sha1_after", - "syscheck.sha1_before", - "syscheck.sha256_after", - "syscheck.sha256_before", - "syscheck.tags", - "syscheck.uid_after", - "syscheck.uid_before", - "syscheck.uname_after", - "syscheck.uname_before", - "title", - "type" - ] - }, - "number_of_replicas": "0" - } - }, - "mappings": { - "dynamic_templates": [ - { - "string_as_keyword": { - "match_mapping_type": "string", - "mapping": { - "type": "keyword" - } - } - } - ], - "date_detection": false, - "properties": { - "@timestamp": { - "type": "date" - }, - "@version": { - "type": "text" - }, - "GeoLocation": { - "properties": { - "area_code": { - "type": "long" - }, - "city_name": { - "type": "keyword" - }, - "continent_code": { - "type": "text" - }, - "coordinates": { - "type": "double" - }, - "country_code2": { - "type": "text" - }, - "country_code3": { - "type": "text" - }, - "country_name": { - "type": "keyword" - }, - "dma_code": { - "type": "long" - }, - "ip": { - "type": "keyword" - }, - "latitude": { - "type": "double" - }, - "location": { - "type": "geo_point" - }, - "longitude": { - "type": "double" - }, - "postal_code": { - "type": "keyword" - }, - "real_region_name": { - "type": "keyword" - }, - "region_name": { - "type": "keyword" - }, - "timezone": { - "type": "text" - } - } - }, - "agent": { - "properties": { - "id": { - "type": "keyword" - }, - "ip": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "cluster": { - "properties": { - "name": { - "type": "keyword" - }, - "node": { - "type": "keyword" - } - } - }, - "command": { - "type": "keyword" - }, - "data": { - "properties": { - "action": { - "type": "keyword" - }, - "audit": { - "properties": { - "acct": { - "type": "keyword" - }, - "arch": { - "type": "keyword" - }, - "auid": { - "type": "keyword" - }, - "command": { - "type": "keyword" - }, - "cwd": { - "type": "keyword" - }, - "dev": { - "type": "keyword" - }, - "directory": { - "properties": { - "inode": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "egid": { - "type": "keyword" - }, - "enforcing": { - "type": "keyword" - }, - "euid": { - "type": "keyword" - }, - "exe": { - "type": "keyword" - }, - "execve": { - "properties": { - "a0": { - "type": "keyword" - }, - "a1": { - "type": "keyword" - }, - "a2": { - "type": "keyword" - }, - "a3": { - "type": "keyword" - } - } - }, - "exit": { - "type": "keyword" - }, - "file": { - "properties": { - "inode": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "fsgid": { - "type": "keyword" - }, - "fsuid": { - "type": "keyword" - }, - "gid": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "key": { - "type": "keyword" - }, - "list": { - "type": "keyword" - }, - "old-auid": { - "type": "keyword" - }, - "old-ses": { - "type": "keyword" - }, - "old_enforcing": { - "type": "keyword" - }, - "old_prom": { - "type": "keyword" - }, - "op": { - "type": "keyword" - }, - "pid": { - "type": "keyword" - }, - "ppid": { - "type": "keyword" - }, - "prom": { - "type": "keyword" - }, - "res": { - "type": "keyword" - }, - "session": { - "type": "keyword" - }, - "sgid": { - "type": "keyword" - }, - "srcip": { - "type": "keyword" - }, - "subj": { - "type": "keyword" - }, - "success": { - "type": "keyword" - }, - "suid": { - "type": "keyword" - }, - "syscall": { - "type": "keyword" - }, - "tty": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "uid": { - "type": "keyword" - } - } - }, - "aws": { - "properties": { - "accountId": { - "type": "keyword" - }, - "bytes": { - "type": "long" - }, - "createdAt": { - "type": "date" - }, - "dstaddr": { - "type": "ip" - }, - "end": { - "type": "date" - }, - "log_info": { - "properties": { - "s3bucket": { - "type": "keyword" - } - } - }, - "region": { - "type": "keyword" - }, - "resource": { - "properties": { - "instanceDetails": { - "properties": { - "launchTime": { - "type": "date" - }, - "networkInterfaces": { - "properties": { - "privateIpAddress": { - "type": "ip" - }, - "publicIp": { - "type": "ip" - } - } - } - } - } - } - }, - "service": { - "properties": { - "action": { - "properties": { - "networkConnectionAction": { - "properties": { - "remoteIpDetails": { - "properties": { - "geoLocation": { - "type": "geo_point" - }, - "ipAddressV4": { - "type": "ip" - } - } - } - } - } - } - }, - "count": { - "type": "long" - }, - "eventFirstSeen": { - "type": "date" - }, - "eventLastSeen": { - "type": "date" - } - } - }, - "source": { - "type": "keyword" - }, - "source_ip_address": { - "type": "ip" - }, - "srcaddr": { - "type": "ip" - }, - "start": { - "type": "date" - }, - "updatedAt": { - "type": "date" - } - } - }, - "cis": { - "properties": { - "benchmark": { - "type": "keyword" - }, - "error": { - "type": "long" - }, - "fail": { - "type": "long" - }, - "group": { - "type": "keyword" - }, - "notchecked": { - "type": "long" - }, - "pass": { - "type": "long" - }, - "result": { - "type": "keyword" - }, - "rule_title": { - "type": "keyword" - }, - "score": { - "type": "long" - }, - "timestamp": { - "type": "keyword" - }, - "unknown": { - "type": "long" - } - } - }, - "command": { - "type": "keyword" - }, - "data": { - "type": "keyword" - }, - "docker": { - "properties": { - "Action": { - "type": "keyword" - }, - "Actor": { - "properties": { - "Attributes": { - "properties": { - "image": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - } - } - }, - "Type": { - "type": "keyword" - } - } - }, - "dstip": { - "type": "keyword" - }, - "dstport": { - "type": "keyword" - }, - "dstuser": { - "type": "keyword" - }, - "extra_data": { - "type": "keyword" - }, - "gcp": { - "properties": { - "jsonPayload": { - "properties": { - "authAnswer": { - "type": "keyword" - }, - "queryName": { - "type": "keyword" - }, - "responseCode": { - "type": "keyword" - }, - "vmInstanceId": { - "type": "keyword" - }, - "vmInstanceName": { - "type": "keyword" - } - } - }, - "resource": { - "properties": { - "labels": { - "properties": { - "location": { - "type": "keyword" - }, - "project_id": { - "type": "keyword" - }, - "source_type": { - "type": "keyword" - } - } - }, - "type": { - "type": "keyword" - } - } - }, - "severity": { - "type": "keyword" - } - } - }, - "github": { - "properties": { - "action": { - "type": "keyword" - }, - "actor": { - "type": "keyword" - }, - "actor_location": { - "properties": { - "country_code": { - "type": "keyword" - } - } - }, - "org": { - "type": "keyword" - }, - "repo": { - "type": "keyword" - } - } - }, - "hardware": { - "properties": { - "cpu_cores": { - "type": "long" - }, - "cpu_mhz": { - "type": "double" - }, - "cpu_name": { - "type": "keyword" - }, - "ram_free": { - "type": "long" - }, - "ram_total": { - "type": "long" - }, - "ram_usage": { - "type": "long" - }, - "serial": { - "type": "keyword" - } - } - }, - "id": { - "type": "keyword" - }, - "integration": { - "type": "keyword" - }, - "netinfo": { - "properties": { - "iface": { - "properties": { - "adapter": { - "type": "keyword" - }, - "ipv4": { - "properties": { - "address": { - "type": "keyword" - }, - "broadcast": { - "type": "keyword" - }, - "dhcp": { - "type": "keyword" - }, - "gateway": { - "type": "keyword" - }, - "metric": { - "type": "long" - }, - "netmask": { - "type": "keyword" - } - } - }, - "ipv6": { - "properties": { - "address": { - "type": "keyword" - }, - "broadcast": { - "type": "keyword" - }, - "dhcp": { - "type": "keyword" - }, - "gateway": { - "type": "keyword" - }, - "metric": { - "type": "long" - }, - "netmask": { - "type": "keyword" - } - } - }, - "mac": { - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "type": "keyword" - }, - "rx_bytes": { - "type": "long" - }, - "rx_dropped": { - "type": "long" - }, - "rx_errors": { - "type": "long" - }, - "rx_packets": { - "type": "long" - }, - "state": { - "type": "keyword" - }, - "tx_bytes": { - "type": "long" - }, - "tx_dropped": { - "type": "long" - }, - "tx_errors": { - "type": "long" - }, - "tx_packets": { - "type": "long" - }, - "type": { - "type": "keyword" - } - } - } - } - }, - "office365": { - "properties": { - "Actor": { - "properties": { - "ID": { - "type": "keyword" - } - } - }, - "ClientIP": { - "type": "keyword" - }, - "Operation": { - "type": "keyword" - }, - "ResultStatus": { - "type": "keyword" - }, - "Subscription": { - "type": "keyword" - }, - "UserId": { - "type": "keyword" - } - } - }, - "os": { - "properties": { - "architecture": { - "type": "keyword" - }, - "build": { - "type": "keyword" - }, - "codename": { - "type": "keyword" - }, - "display_version": { - "type": "keyword" - }, - "hostname": { - "type": "keyword" - }, - "major": { - "type": "keyword" - }, - "minor": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "patch": { - "type": "keyword" - }, - "platform": { - "type": "keyword" - }, - "release": { - "type": "keyword" - }, - "release_version": { - "type": "keyword" - }, - "sysname": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "oscap": { - "properties": { - "check": { - "properties": { - "description": { - "type": "text" - }, - "id": { - "type": "keyword" - }, - "identifiers": { - "type": "text" - }, - "oval": { - "properties": { - "id": { - "type": "keyword" - } - } - }, - "rationale": { - "type": "text" - }, - "references": { - "type": "text" - }, - "result": { - "type": "keyword" - }, - "severity": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "scan": { - "properties": { - "benchmark": { - "properties": { - "id": { - "type": "keyword" - } - } - }, - "content": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "profile": { - "properties": { - "id": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "return_code": { - "type": "long" - }, - "score": { - "type": "double" - } - } - } - } - }, - "osquery": { - "properties": { - "action": { - "type": "keyword" - }, - "calendarTime": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "pack": { - "type": "keyword" - } - } - }, - "port": { - "properties": { - "inode": { - "type": "long" - }, - "local_ip": { - "type": "ip" - }, - "local_port": { - "type": "long" - }, - "pid": { - "type": "long" - }, - "process": { - "type": "keyword" - }, - "protocol": { - "type": "keyword" - }, - "remote_ip": { - "type": "ip" - }, - "remote_port": { - "type": "long" - }, - "rx_queue": { - "type": "long" - }, - "state": { - "type": "keyword" - }, - "tx_queue": { - "type": "long" - } - } - }, - "process": { - "properties": { - "args": { - "type": "keyword" - }, - "cmd": { - "type": "keyword" - }, - "egroup": { - "type": "keyword" - }, - "euser": { - "type": "keyword" - }, - "fgroup": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "nice": { - "type": "long" - }, - "nlwp": { - "type": "long" - }, - "pgrp": { - "type": "long" - }, - "pid": { - "type": "long" - }, - "ppid": { - "type": "long" - }, - "priority": { - "type": "long" - }, - "processor": { - "type": "long" - }, - "resident": { - "type": "long" - }, - "rgroup": { - "type": "keyword" - }, - "ruser": { - "type": "keyword" - }, - "session": { - "type": "long" - }, - "sgroup": { - "type": "keyword" - }, - "share": { - "type": "long" - }, - "size": { - "type": "long" - }, - "start_time": { - "type": "long" - }, - "state": { - "type": "keyword" - }, - "stime": { - "type": "long" - }, - "suser": { - "type": "keyword" - }, - "tgid": { - "type": "long" - }, - "tty": { - "type": "long" - }, - "utime": { - "type": "long" - }, - "vm_size": { - "type": "long" - } - } - }, - "program": { - "properties": { - "architecture": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "format": { - "type": "keyword" - }, - "install_time": { - "type": "keyword" - }, - "location": { - "type": "keyword" - }, - "multiarch": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "priority": { - "type": "keyword" - }, - "section": { - "type": "keyword" - }, - "size": { - "type": "long" - }, - "source": { - "type": "keyword" - }, - "vendor": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "protocol": { - "type": "keyword" - }, - "sca": { - "properties": { - "check": { - "properties": { - "compliance": { - "properties": { - "cis": { - "type": "keyword" - }, - "cis_csc": { - "type": "keyword" - }, - "hipaa": { - "type": "keyword" - }, - "nist_800_53": { - "type": "keyword" - }, - "pci_dss": { - "type": "keyword" - } - } - }, - "description": { - "type": "keyword" - }, - "directory": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "previous_result": { - "type": "keyword" - }, - "process": { - "type": "keyword" - }, - "rationale": { - "type": "keyword" - }, - "reason": { - "type": "keyword" - }, - "references": { - "type": "keyword" - }, - "registry": { - "type": "keyword" - }, - "remediation": { - "type": "keyword" - }, - "result": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "description": { - "type": "keyword" - }, - "failed": { - "type": "integer" - }, - "file": { - "type": "keyword" - }, - "invalid": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "passed": { - "type": "integer" - }, - "policy": { - "type": "keyword" - }, - "policy_id": { - "type": "keyword" - }, - "scan_id": { - "type": "keyword" - }, - "score": { - "type": "long" - }, - "total_checks": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - } - }, - "srcip": { - "type": "keyword" - }, - "srcport": { - "type": "keyword" - }, - "srcuser": { - "type": "keyword" - }, - "status": { - "type": "keyword" - }, - "system_name": { - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "title": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "uid": { - "type": "keyword" - }, - "url": { - "type": "keyword" - }, - "virustotal": { - "properties": { - "description": { - "type": "keyword" - }, - "error": { - "type": "keyword" - }, - "found": { - "type": "keyword" - }, - "malicious": { - "type": "keyword" - }, - "permalink": { - "type": "keyword" - }, - "positives": { - "type": "keyword" - }, - "scan_date": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - }, - "source": { - "properties": { - "alert_id": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "md5": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - } - } - }, - "total": { - "type": "keyword" - } - } - }, - "vulnerability": { - "properties": { - "assigner": { - "type": "keyword" - }, - "cve": { - "type": "keyword" - }, - "cve_version": { - "type": "keyword" - }, - "cvss": { - "properties": { - "cvss2": { - "properties": { - "base_score": { - "type": "keyword" - }, - "exploitability_score": { - "type": "keyword" - }, - "impact_score": { - "type": "keyword" - }, - "vector": { - "properties": { - "access_complexity": { - "type": "keyword" - }, - "attack_vector": { - "type": "keyword" - }, - "authentication": { - "type": "keyword" - }, - "availability": { - "type": "keyword" - }, - "confidentiality_impact": { - "type": "keyword" - }, - "integrity_impact": { - "type": "keyword" - }, - "privileges_required": { - "type": "keyword" - }, - "scope": { - "type": "keyword" - }, - "user_interaction": { - "type": "keyword" - } - } - } - } - }, - "cvss3": { - "properties": { - "base_score": { - "type": "keyword" - }, - "exploitability_score": { - "type": "keyword" - }, - "impact_score": { - "type": "keyword" - }, - "vector": { - "properties": { - "access_complexity": { - "type": "keyword" - }, - "attack_vector": { - "type": "keyword" - }, - "authentication": { - "type": "keyword" - }, - "availability": { - "type": "keyword" - }, - "confidentiality_impact": { - "type": "keyword" - }, - "integrity_impact": { - "type": "keyword" - }, - "privileges_required": { - "type": "keyword" - }, - "scope": { - "type": "keyword" - }, - "user_interaction": { - "type": "keyword" - } - } - } - } - } - } - }, - "cwe_reference": { - "type": "keyword" - }, - "package": { - "properties": { - "architecture": { - "type": "keyword" - }, - "condition": { - "type": "keyword" - }, - "generated_cpe": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "source": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "published": { - "type": "date" - }, - "rationale": { - "type": "keyword" - }, - "severity": { - "type": "keyword" - }, - "title": { - "type": "keyword" - }, - "updated": { - "type": "date" - } - } - } - } - }, - "decoder": { - "properties": { - "accumulate": { - "type": "long" - }, - "fts": { - "type": "long" - }, - "ftscomment": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "parent": { - "type": "keyword" - } - } - }, - "full_log": { - "type": "text" - }, - "host": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "input": { - "properties": { - "type": { - "type": "keyword" - } - } - }, - "location": { - "type": "keyword" - }, - "manager": { - "properties": { - "name": { - "type": "keyword" - } - } - }, - "message": { - "type": "text" - }, - "offset": { - "type": "keyword" - }, - "predecoder": { - "properties": { - "hostname": { - "type": "keyword" - }, - "program_name": { - "type": "keyword" - }, - "timestamp": { - "type": "keyword" - } - } - }, - "previous_log": { - "type": "text" - }, - "previous_output": { - "type": "keyword" - }, - "program_name": { - "type": "keyword" - }, - "rule": { - "properties": { - "cis": { - "type": "keyword" - }, - "cve": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "firedtimes": { - "type": "long" - }, - "frequency": { - "type": "long" - }, - "gdpr": { - "type": "keyword" - }, - "gpg13": { - "type": "keyword" - }, - "groups": { - "type": "keyword" - }, - "hipaa": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "info": { - "type": "keyword" - }, - "level": { - "type": "long" - }, - "mail": { - "type": "boolean" - }, - "mitre": { - "properties": { - "id": { - "type": "keyword" - }, - "tactic": { - "type": "keyword" - }, - "technique": { - "type": "keyword" - } - } - }, - "nist_800_53": { - "type": "keyword" - }, - "pci_dss": { - "type": "keyword" - }, - "tsc": { - "type": "keyword" - } - } - }, - "syscheck": { - "properties": { - "audit": { - "properties": { - "effective_user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "group": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "login_user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "process": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "ppid": { - "type": "keyword" - } - } - }, - "user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - } - } - }, - "diff": { - "type": "keyword" - }, - "event": { - "type": "keyword" - }, - "gid_after": { - "type": "keyword" - }, - "gid_before": { - "type": "keyword" - }, - "gname_after": { - "type": "keyword" - }, - "gname_before": { - "type": "keyword" - }, - "hard_links": { - "type": "keyword" - }, - "inode_after": { - "type": "keyword" - }, - "inode_before": { - "type": "keyword" - }, - "md5_after": { - "type": "keyword" - }, - "md5_before": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "mtime_after": { - "type": "date", - "format": "date_optional_time" - }, - "mtime_before": { - "type": "date", - "format": "date_optional_time" - }, - "path": { - "type": "keyword" - }, - "perm_after": { - "type": "keyword" - }, - "perm_before": { - "type": "keyword" - }, - "sha1_after": { - "type": "keyword" - }, - "sha1_before": { - "type": "keyword" - }, - "sha256_after": { - "type": "keyword" - }, - "sha256_before": { - "type": "keyword" - }, - "size_after": { - "type": "long" - }, - "size_before": { - "type": "long" - }, - "tags": { - "type": "keyword" - }, - "uid_after": { - "type": "keyword" - }, - "uid_before": { - "type": "keyword" - }, - "uname_after": { - "type": "keyword" - }, - "uname_before": { - "type": "keyword" - } - } - }, - "timestamp": { - "type": "date", - "format": "date_optional_time||epoch_millis" - }, - "title": { - "type": "keyword" - }, - "type": { - "type": "text" - } - } - }, - "aliases": {} - }, - "version": 1 -} diff --git a/integrations/opensearch/opensearch.yml b/integrations/opensearch/opensearch.yml deleted file mode 100644 index 442c0b707f2ec..0000000000000 --- a/integrations/opensearch/opensearch.yml +++ /dev/null @@ -1,39 +0,0 @@ -network.host: "0.0.0.0" -node.name: "opensearch" -compatibility.override_main_response_version: true -plugins.security.ssl.http.pemcert_filepath: /usr/share/opensearch/config/certs/opensearch.pem -plugins.security.ssl.http.pemkey_filepath: /usr/share/opensearch/config/certs/opensearch.key -plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/opensearch/config/certs/root-ca.pem -plugins.security.ssl.transport.pemcert_filepath: /usr/share/opensearch/config/certs/opensearch.pem -plugins.security.ssl.transport.pemkey_filepath: /usr/share/opensearch/config/certs/opensearch.key -plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/opensearch/config/certs/root-ca.pem -plugins.security.ssl.http.enabled: true -plugins.security.ssl.transport.enforce_hostname_verification: false -plugins.security.ssl.transport.resolve_hostname: false -plugins.security.authcz.admin_dn: - - "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US" -plugins.security.check_snapshot_restore_write_privileges: true -plugins.security.enable_snapshot_restore_privilege: true -plugins.security.nodes_dn: - - "CN=opensearch.node,OU=Wazuh,O=Wazuh,L=California,C=US" -plugins.security.restapi.roles_enabled: - - "all_access" - - "security_rest_api_access" -plugins.security.system_indices.enabled: true -plugins.security.system_indices.indices: - [ - ".opendistro-alerting-config", - ".opendistro-alerting-alert*", - ".opendistro-anomaly-results*", - ".opendistro-anomaly-detector*", - ".opendistro-anomaly-checkpoints", - ".opendistro-anomaly-detection-state", - ".opendistro-reports-*", - ".opendistro-notifications-*", - ".opendistro-notebooks", - ".opensearch-observability", - ".opendistro-asynchronous-search-response*", - ".replication-metadata-store", - ] -plugins.security.allow_default_init_securityindex: true -cluster.routing.allocation.disk.threshold_enabled: false diff --git a/integrations/opensearch/opensearch_dashboards.yml b/integrations/opensearch/opensearch_dashboards.yml deleted file mode 100644 index 316ebabcf1179..0000000000000 --- a/integrations/opensearch/opensearch_dashboards.yml +++ /dev/null @@ -1,21 +0,0 @@ -server.host: 0.0.0.0 -server.port: 5601 -opensearch.hosts: https://opensearch.node:9200 -opensearch.ssl.verificationMode: certificate -#osd 1.2.4 -# opensearch.requestHeadersWhitelist: ["securitytenant","Authorization"] -# -# osd 2.0 -opensearch.requestHeadersAllowlist: ["securitytenant", "Authorization"] -# -opensearch_security.multitenancy.enabled: false -opensearch_security.readonly_mode.roles: ["kibana_read_only"] -server.ssl.enabled: true -server.ssl.key: "/usr/share/opensearch-dashboards/config/certs/opensearch.key" -server.ssl.certificate: "/usr/share/opensearch-dashboards/config/certs/opensearch.pem" -opensearch.ssl.certificateAuthorities: - ["/usr/share/opensearch-dashboards/config/certs/root-ca.pem"] -opensearch.username: "kibanaserver" -opensearch.password: "kibanaserver" -opensearchDashboards.branding: - useExpandedHeader: false diff --git a/integrations/splunk/README.md b/integrations/splunk/README.md deleted file mode 100644 index d4182f71b067b..0000000000000 --- a/integrations/splunk/README.md +++ /dev/null @@ -1,47 +0,0 @@ -# Wazuh to Splunk Integration Developer Guide - -This document describes how to prepare a Docker Compose environment to test the integration between Wazuh and Splunk. For a detailed guide on how to integrate Wazuh with Splunk, please refer to the [Wazuh documentation](https://documentation.wazuh.com/current/integrations-guide/splunk/index.html). - -## Requirements - -- Docker and Docker Compose installed. - -## Usage - -1. Clone the Wazuh repository and navigate to the `integrations/` folder. -2. Run the following command to start the environment: - ```bash - docker compose -f ./docker/compose.indexer-splunk.yml up -d - ``` - -The Docker Compose project will bring up the following services: - -- 1x Events Generator (learn more in [wazuh-indexer/integrations/tools/events-generator](../tools/events-generator/README.md)). -- 1x Wazuh Indexer (OpenSearch). -- 1x Logstash -- 1x Splunk - -For custom configurations, you may need to modify these files: - -- [docker/compose.indexer-splunk.yml](../docker/compose.indexer-splunk.yml): Docker Compose file. -- [docker/.env](../docker/.env): Environment variables file. -- [splunk/logstash/pipeline/indexer-to-splunk.conf](./logstash/pipeline/indexer-to-splunk.conf): Logstash Pipeline configuration file. - -Check the files above for **credentials**, ports, and other configurations. - -| Service | Address | Credentials | -| ------------- | ---------------------- | ------------------- | -| Wazuh Indexer | https://localhost:9200 | admin:admin | -| Splunk | https://localhost:8000 | admin:Password.1234 | - -## Importing the dashboards - -The dashboards for Splunk are included in this folder. The steps to import them to Splunk are the following: - -- In the Splunk UI, go to `Settings` > `Data Inputs` > `HTTP Event Collector` and make sure that the `hec` token is enabled and uses the `wazuh-alerts` index. -- Open a dashboard file and copy all its content. -- In the Splunk UI, navigate to `Search & Reporting`, `Dashboards`, click `Create New Dashboard`, write the title and select `Dashboard Studio`, select `Grid` and click on `Create`. -- On the top menu, there is a `Source` icon. Click on it, and replace all the content with the contents from one of the dashboard files under `integrations/splunk`. After that, click on `Back` and click on `Save`. -- Repeat the steps for all the desired dashboards. - -Imported dashboards will appear under `Search & Reporting` > `Dashboards`. diff --git a/integrations/splunk/cfssl/ca.json b/integrations/splunk/cfssl/ca.json deleted file mode 100644 index 8a96a70a42c42..0000000000000 --- a/integrations/splunk/cfssl/ca.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "CN": "Wazuh", - "key": { - "algo": "rsa", - "size": 2048 - }, - "names": [ - { - "C": "US", - "L": "San Francisco", - "O": "Wazuh", - "OU": "Wazuh Root CA" - } - ] -} diff --git a/integrations/splunk/cfssl/cfssl.json b/integrations/splunk/cfssl/cfssl.json deleted file mode 100644 index d23daf762100e..0000000000000 --- a/integrations/splunk/cfssl/cfssl.json +++ /dev/null @@ -1,58 +0,0 @@ -{ - "signing": { - "default": { - "expiry": "8760h" - }, - "profiles": { - "intermediate_ca": { - "usages": [ - "signing", - "digital signature", - "key encipherment", - "cert sign", - "crl sign", - "server auth", - "client auth" - ], - "expiry": "8760h", - "ca_constraint": { - "is_ca": true, - "max_path_len": 0, - "max_path_len_zero": true - } - }, - "peer": { - "usages": [ - "signing", - "digital signature", - "key encipherment", - "data encipherment", - "client auth", - "server auth" - ], - "expiry": "8760h" - }, - "server": { - "usages": [ - "signing", - "digital signing", - "key encipherment", - "data encipherment", - "server auth" - ], - "expiry": "8760h" - }, - "client": { - "usages": [ - "signing", - "digital signature", - "key encipherment", - "data encipherment", - "client auth" - ], - "expiry": "8760h" - } - } - } -} - diff --git a/integrations/splunk/cfssl/host.json b/integrations/splunk/cfssl/host.json deleted file mode 100644 index e1d3cd064b842..0000000000000 --- a/integrations/splunk/cfssl/host.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "CN": "splunk", - "key": { - "algo": "rsa", - "size": 2048 - }, - "names": [ - { - "C": "US", - "L": "California", - "O": "Wazuh", - "OU": "Wazuh" - } - ], - "hosts": [ - "splunk", - "localhost" - ] -} diff --git a/integrations/splunk/config/default.yml b/integrations/splunk/config/default.yml deleted file mode 100644 index e9e0637d69a60..0000000000000 --- a/integrations/splunk/config/default.yml +++ /dev/null @@ -1,25 +0,0 @@ -splunk: - conf: - - key: web - value: - directory: /opt/splunk/etc/system/local - content: - settings: - enablesSplunkWebSSL: true - privKeyPath: /opt/splunk/etc/auth/custom/splunk.key - serverCert: /opt/splunk/etc/auth/custom/splunk.pem - - key: server - value: - directory: /opt/splunk/etc/system/local - content: - general: - serverName: splunk - pass4SymmKey: dadqaBZA2fzxHOvfdlSQpKjIooupehTnmjysUx7j+bP1/NucBL+rch/Kw== - sslConfig: - serverCert: /opt/splunk/etc/auth/custom/splunkhec.pem - hec: - enable: True - ssl: True - port: 8088 - # hec.token is used only for ingestion (receiving Splunk events) - token: abcd1234 diff --git a/integrations/splunk/config/indexes.conf b/integrations/splunk/config/indexes.conf deleted file mode 100644 index 81fe23e9e9515..0000000000000 --- a/integrations/splunk/config/indexes.conf +++ /dev/null @@ -1,11 +0,0 @@ -[default] -[wazuh-alerts] -coldPath = $SPLUNK_DB/wazuh/colddb -enableDataIntegrityControl = 1 -enableTsidxReduction = 1 -homePath = $SPLUNK_DB/wazuh/db -maxTotalDataSizeMB = 512000 -thawedPath = $SPLUNK_DB/wazuh/thaweddb -timePeriodInSecBeforeTsidxReduction = 15552000 -tsidxReductionCheckPeriodInSec = - diff --git a/integrations/splunk/logstash/pipeline/indexer-to-splunk.conf b/integrations/splunk/logstash/pipeline/indexer-to-splunk.conf deleted file mode 100644 index fe6042f4c4e0c..0000000000000 --- a/integrations/splunk/logstash/pipeline/indexer-to-splunk.conf +++ /dev/null @@ -1,31 +0,0 @@ -input { - opensearch { - hosts => ["wazuh.indexer:9200"] - user => "${INDEXER_USERNAME}" - password => "${INDEXER_PASSWORD}" - ssl => true - ca_file => "/usr/share/logstash/root-ca.pem" - index => "wazuh-alerts-4.x-*" - query => '{ - "query": { - "range": { - "@timestamp": { - "gt": "now-1m" - } - } - } - }' - schedule => "* * * * *" - } -} - - -output { - http { - format => "json" - http_method => "post" - url => "https://splunk:8088/services/collector/raw" - headers => ["Authorization", "Splunk abcd1234"] - cacert => "/usr/share/logstash/root-ca.pem" - } -} diff --git a/integrations/splunk/logstash/setup.sh b/integrations/splunk/logstash/setup.sh deleted file mode 100644 index 4852d27efd5e1..0000000000000 --- a/integrations/splunk/logstash/setup.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/bash - -# This script creates and configures a keystore for Logstash to store -# indexer's credentials. NOTE: works only for dockerized logstash. -# Source: https://www.elastic.co/guide/en/logstash/current/keystore.html - -# Create keystore -/usr/share/logstash/bin/logstash-keystore create -echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_USERNAME -echo "admin" | /usr/share/logstash/bin/logstash-keystore add INDEXER_PASSWORD diff --git a/integrations/splunk/wazuh-amazon-aws b/integrations/splunk/wazuh-amazon-aws deleted file mode 100644 index c2d4db71d0bce..0000000000000 --- a/integrations/splunk/wazuh-amazon-aws +++ /dev/null @@ -1,132 +0,0 @@ -{ - "visualizations": { - "viz_lTJLU7ar": { - "type": "splunk.area", - "options": { - "stackMode": "stacked", - "xAxisTitleText": "timestamp", - "yAxisTitleText": "count", - "legendDisplay": "left" - }, - "dataSources": { - "primary": "ds_BHh1kZmb" - }, - "title": "Events by source over time" - }, - "viz_l5qazB46": { - "type": "splunk.pie", - "options": { - "showDonutHole": true - }, - "dataSources": { - "primary": "ds_Y2J0psR4" - }, - "title": "Sources" - }, - "viz_1JzeNwnq": { - "type": "splunk.table", - "title": "Events", - "dataSources": { - "primary": "ds_K2y81pak" - } - } - }, - "dataSources": { - "ds_BHh1kZmb": { - "type": "ds.search", - "options": { - "queryParameters": { - "earliest": "$global_time.earliest$", - "latest": "$global_time.latest$" - }, - "query": "index=\"wazuh-alerts\" \"data.aws.source\"=\"*\" | timechart count by \"data.aws.source\"" - }, - "name": "Search_1" - }, - "ds_Y2J0psR4": { - "type": "ds.search", - "options": { - "queryParameters": { - "earliest": "$global_time.earliest$", - "latest": "$global_time.latest$" - }, - "query": "index=\"wazuh-alerts\" \"data.aws.source\"=\"*\" | chart count by \"data.aws.source\"" - }, - "name": "Search_2" - }, - "ds_K2y81pak": { - "type": "ds.search", - "options": { - "queryParameters": { - "earliest": "$global_time.earliest$", - "latest": "$global_time.latest$" - }, - "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"data.aws.source\"=\"*\", \"rule.description\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, data.aws.source, rule.description, rule.level, rule.id" - }, - "name": "Search_3" - } - }, - "defaults": { - "dataSources": { - "ds.search": { - "options": { - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - } - } - } - }, - "inputs": { - "input_global_trp": { - "type": "input.timerange", - "options": { - "token": "global_time", - "defaultValue": "-60m@m,now" - }, - "title": "Global Time Range" - } - }, - "layout": { - "type": "grid", - "options": {}, - "structure": [ - { - "item": "viz_lTJLU7ar", - "type": "block", - "position": { - "x": 0, - "y": 0, - "w": 795, - "h": 334 - } - }, - { - "item": "viz_1JzeNwnq", - "type": "block", - "position": { - "x": 0, - "y": 334, - "w": 1200, - "h": 358 - } - }, - { - "item": "viz_l5qazB46", - "type": "block", - "position": { - "x": 795, - "y": 0, - "w": 405, - "h": 334 - } - } - ], - "globalInputs": [ - "input_global_trp" - ] - }, - "description": "", - "title": "wazuh-amazon-aws-v1.0" -} diff --git a/integrations/splunk/wazuh-docker-listener b/integrations/splunk/wazuh-docker-listener deleted file mode 100644 index 756d9145b8875..0000000000000 --- a/integrations/splunk/wazuh-docker-listener +++ /dev/null @@ -1,130 +0,0 @@ -{ - "visualizations": { - "viz_OcJb59wC": { - "type": "splunk.pie", - "options": { - "showDonutHole": true - }, - "dataSources": { - "primary": "ds_5TEzCbIf" - }, - "title": "Top 5 events" - }, - "viz_bQPbbrvw": { - "type": "splunk.column", - "title": "Events by source over time", - "dataSources": { - "primary": "ds_l6nQN96B" - }, - "options": { - "xAxisTitleText": "timestamp", - "yAxisTitleText": "count" - } - }, - "viz_7GGKwL33": { - "type": "splunk.table", - "dataSources": { - "primary": "ds_gW45zmr5" - }, - "title": "Events" - } - }, - "dataSources": { - "ds_5TEzCbIf": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" | top limit=5 data.docker.Action | chart count by data.docker.Action", - "queryParameters": { - "earliest": "$global_time.earliest$", - "latest": "$global_time.latest$" - } - }, - "name": "Search_1" - }, - "ds_l6nQN96B": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" | timechart count by data.docker.Type useother=false usenull=false\n", - "queryParameters": { - "earliest": "$global_time.earliest$", - "latest": "$global_time.latest$" - } - }, - "name": "Search_2" - }, - "ds_gW45zmr5": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"data.docker.Type\"=\"*\", \"data.docker.Actor.ID\"=\"*\", \"data.docker.Action\"=\"*\", \"rule.description\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, data.docker.Type, data.docker.Actor.ID, data.docker.Action, rule.description, rule.level, rule.id", - "queryParameters": { - "earliest": "$global_time.earliest$", - "latest": "$global_time.latest$" - } - }, - "name": "Search_3" - } - }, - "defaults": { - "dataSources": { - "ds.search": { - "options": { - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - } - } - } - }, - "inputs": { - "input_global_trp": { - "type": "input.timerange", - "options": { - "token": "global_time", - "defaultValue": "-24h@h,now" - }, - "title": "Global Time Range" - } - }, - "layout": { - "type": "grid", - "options": {}, - "structure": [ - { - "item": "viz_OcJb59wC", - "type": "block", - "position": { - "x": 0, - "y": 0, - "w": 415, - "h": 316 - } - }, - { - "item": "viz_7GGKwL33", - "type": "block", - "position": { - "x": 0, - "y": 316, - "w": 1200, - "h": 378 - } - }, - { - "item": "viz_bQPbbrvw", - "type": "block", - "position": { - "x": 415, - "y": 0, - "w": 785, - "h": 316 - } - } - ], - "globalInputs": [ - "input_global_trp" - ] - }, - "description": "", - "title": "wazuh-docker-listener-v1.0" -} diff --git a/integrations/splunk/wazuh-incident-response b/integrations/splunk/wazuh-incident-response deleted file mode 100644 index 247cec3303b01..0000000000000 --- a/integrations/splunk/wazuh-incident-response +++ /dev/null @@ -1,131 +0,0 @@ -{ - "visualizations": { - "viz_bRMOrrNo": { - "type": "splunk.pie", - "options": { - "showDonutHole": true - }, - "dataSources": { - "primary": "ds_T5OG9qjO" - }, - "title": "Alert groups" - }, - "viz_iOvmhhgU": { - "type": "splunk.table", - "options": {}, - "dataSources": { - "primary": "ds_tnYl87gQ" - } - }, - "viz_P0bNNVfw": { - "type": "splunk.column", - "options": { - "stackMode": "stacked", - "xAxisTitleText": "timestamp", - "yAxisTitleText": "count" - }, - "dataSources": { - "primary": "ds_GccX6Lrj" - }, - "title": "Events" - } - }, - "dataSources": { - "ds_T5OG9qjO": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=\"*\" | top limit=5 \"rule.groups{}\" | chart count by \"rule.groups{}\" useother=false usenull=false", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_1" - }, - "ds_tnYl87gQ": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"rule.groups{}\"=\"*\", \"rule.description\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, rule.groups{}, rule.description, rule.level, rule.id", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_2" - }, - "ds_GccX6Lrj": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=\"audit\" | timechart count by \"rule.groups{}\"", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_3" - } - }, - "defaults": { - "dataSources": { - "ds.search": { - "options": { - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - } - } - } - }, - "inputs": { - "input_global_trp": { - "type": "input.timerange", - "options": { - "token": "global_time", - "defaultValue": "-60m@m,now" - }, - "title": "Global Time Range" - } - }, - "layout": { - "type": "grid", - "options": {}, - "structure": [ - { - "item": "viz_bRMOrrNo", - "type": "block", - "position": { - "x": 0, - "y": 0, - "w": 388, - "h": 292 - } - }, - { - "item": "viz_iOvmhhgU", - "type": "block", - "position": { - "x": 0, - "y": 292, - "w": 1200, - "h": 399 - } - }, - { - "item": "viz_P0bNNVfw", - "type": "block", - "position": { - "x": 388, - "y": 0, - "w": 812, - "h": 292 - } - } - ], - "globalInputs": [ - "input_global_trp" - ] - }, - "description": "", - "title": "wazuh-incident-response-v1.0" -} diff --git a/integrations/splunk/wazuh-malware-detection b/integrations/splunk/wazuh-malware-detection deleted file mode 100644 index 70c825efabb01..0000000000000 --- a/integrations/splunk/wazuh-malware-detection +++ /dev/null @@ -1,132 +0,0 @@ -{ - "visualizations": { - "viz_Q5GQT6h2": { - "type": "splunk.area", - "dataSources": { - "primary": "ds_N3cdEic4" - }, - "options": { - "stackMode": "stacked", - "xAxisTitleText": "timestamp", - "yAxisTitleText": "count" - }, - "title": "Emotet malware activity" - }, - "viz_U8vFKyUp": { - "type": "splunk.table", - "dataSources": { - "primary": "ds_f5AJxLS5" - }, - "title": "Security alerts" - }, - "viz_uLQLGVbg": { - "type": "splunk.line", - "options": { - "xAxisTitleText": "timestamp", - "yAxisTitleText": "count" - }, - "dataSources": { - "primary": "ds_IcWLWjPn" - }, - "title": "Rootkits activity over time" - } - }, - "dataSources": { - "ds_N3cdEic4": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=\"rootcheck\" | timechart count by \"rule.groups{}\"", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_1" - }, - "ds_f5AJxLS5": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"rule.mitre.technique{}\"=\"*\", \"rule.mitre.tactic{}\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\", \"rule.description\"=\"*\" | table _time, agent.name, rule.mitre.technique{}, rule.mitre.tactic{}, rule.level, rule.id, rule.description\n", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_2" - }, - "ds_IcWLWjPn": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" | timechart count by data.title useother=false usenull=false\n", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_3" - } - }, - "defaults": { - "dataSources": { - "ds.search": { - "options": { - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - } - } - } - }, - "inputs": { - "input_global_trp": { - "type": "input.timerange", - "options": { - "token": "global_time", - "defaultValue": "-60m@m,now" - }, - "title": "Global Time Range" - } - }, - "layout": { - "type": "grid", - "options": {}, - "structure": [ - { - "item": "viz_Q5GQT6h2", - "type": "block", - "position": { - "x": 0, - "y": 0, - "w": 458, - "h": 293 - } - }, - { - "item": "viz_U8vFKyUp", - "type": "block", - "position": { - "x": 0, - "y": 293, - "w": 1200, - "h": 381 - } - }, - { - "item": "viz_uLQLGVbg", - "type": "block", - "position": { - "x": 458, - "y": 0, - "w": 742, - "h": 293 - } - } - ], - "globalInputs": [ - "input_global_trp" - ] - }, - "description": "", - "title": "wazuh-malware-detection-v1.0" -} diff --git a/integrations/splunk/wazuh-pci-dss b/integrations/splunk/wazuh-pci-dss deleted file mode 100644 index 84748831a9790..0000000000000 --- a/integrations/splunk/wazuh-pci-dss +++ /dev/null @@ -1,132 +0,0 @@ -{ - "visualizations": { - "viz_9NIbkgTo": { - "type": "splunk.bubble", - "options": { - "xAxisTitleText": "timestamp", - "yAxisTitleText": "count" - }, - "dataSources": { - "primary": "ds_g3vSgFS7" - }, - "title": "PCI DSS requirements" - }, - "viz_Z6CAbCjJ": { - "type": "splunk.column", - "options": { - "stackMode": "stacked", - "yAxisTitleText": "count", - "xAxisTitleText": "requirements" - }, - "dataSources": { - "primary": "ds_lljKZIBi" - }, - "title": "Requirements by agent" - }, - "viz_AtTGNj0f": { - "type": "splunk.table", - "dataSources": { - "primary": "ds_9ABDZ4aq" - }, - "title": "Recent events" - } - }, - "dataSources": { - "ds_g3vSgFS7": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"rule.pci_dss{}\"=\"*\" | timechart count by \"rule.pci_dss{}\"\n", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_1" - }, - "ds_lljKZIBi": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\" | chart count by \"rule.pci_dss{}\", \"agent.name\"", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_2" - }, - "ds_9ABDZ4aq": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"rule.pci_dss{}\"=\"*\", \"rule.description\"=\"*\", \"rule.level\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, rule.pci_dss{}, rule.description, rule.level, rule.id", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_3" - } - }, - "defaults": { - "dataSources": { - "ds.search": { - "options": { - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - } - } - } - }, - "inputs": { - "input_global_trp": { - "type": "input.timerange", - "options": { - "token": "global_time", - "defaultValue": "-60m@m,now" - }, - "title": "Global Time Range" - } - }, - "layout": { - "type": "grid", - "options": {}, - "structure": [ - { - "item": "viz_9NIbkgTo", - "type": "block", - "position": { - "x": 0, - "y": 0, - "w": 629, - "h": 400 - } - }, - { - "item": "viz_AtTGNj0f", - "type": "block", - "position": { - "x": 0, - "y": 400, - "w": 1200, - "h": 291 - } - }, - { - "item": "viz_Z6CAbCjJ", - "type": "block", - "position": { - "x": 629, - "y": 0, - "w": 571, - "h": 400 - } - } - ], - "globalInputs": [ - "input_global_trp" - ] - }, - "description": "", - "title": "wazuh-pci-dss-v1.0" -} diff --git a/integrations/splunk/wazuh-security-events b/integrations/splunk/wazuh-security-events deleted file mode 100644 index c64fa191bed88..0000000000000 --- a/integrations/splunk/wazuh-security-events +++ /dev/null @@ -1,292 +0,0 @@ -{ - "visualizations": { - "viz_oAPKLE0R": { - "type": "splunk.column", - "options": { - "xAxisTitleText": "timestamp", - "yAxisTitleText": "Count", - "stackMode": "stacked" - }, - "dataSources": { - "primary": "ds_TdanKF0I" - }, - "showProgressBar": false, - "showLastUpdated": false, - "title": "Alerts evolution - Top 5 agents", - "description": "" - }, - "viz_Y07WmZ1b": { - "type": "splunk.table", - "dataSources": { - "primary": "ds_ut2DiVW9" - }, - "title": "Security alerts", - "description": "" - }, - "viz_DI7fpctI": { - "type": "splunk.pie", - "dataSources": { - "primary": "ds_EmDJmxMO" - }, - "showProgressBar": false, - "showLastUpdated": false, - "title": "Top Mitre ATT&K tactics" - }, - "viz_qYCIuSjF": { - "type": "splunk.singlevalueradial", - "options": { - "majorColor": "#0258a1", - "trendColor": "#000000" - }, - "dataSources": { - "primary": "ds_d9cN1Qn9" - }, - "title": "Total" - }, - "viz_aTlMnG7A": { - "type": "splunk.singlevalueradial", - "options": { - "majorColor": "#db566f" - }, - "dataSources": { - "primary": "ds_ZPT4uVoe" - }, - "title": "Level 12 or above alerts" - }, - "viz_R8LMR6U6": { - "type": "splunk.singlevalueradial", - "options": { - "majorColor": "#bf0561" - }, - "dataSources": { - "primary": "ds_d8m0U7Ph" - }, - "title": "Authentication failure" - }, - "viz_nDMI4ZGW": { - "type": "splunk.singlevalueradial", - "options": { - "majorColor": "#007d73" - }, - "dataSources": { - "primary": "ds_7FDRhb5m" - }, - "title": "Authentication success" - } - }, - "dataSources": { - "ds_TdanKF0I": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" | timechart count by agent.name\n\n", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_1" - }, - "ds_ut2DiVW9": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"rule.mitre.id{}\"=\"*\" | table _time, agent.name, rule.mitre.id{}, rule.mitre.tactic{}, rule.description, rule.level, rule.id\n", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_2" - }, - "ds_EmDJmxMO": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" | top limit=5 agent.name | chart count by agent.name\n", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_3" - }, - "ds_5QIbKzqF": { - "type": "ds.search", - "options": { - "query": "wazuh-alerts-4.x-sample | chart count by rule.groups", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_4" - }, - "ds_d9cN1Qn9": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" | stats count", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_5" - }, - "ds_ZPT4uVoe": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" rule.level>=12 | stats count", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_6" - }, - "ds_d8m0U7Ph": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=\"authentication_failed\" OR \"rule.groups{}\"=\"win_authentication_failed\" OR \"rule.groups{}\"=\"authentication_failures\" | stats count", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_7" - }, - "ds_7FDRhb5m": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"rule.groups{}\"=authentication_success | stats count", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_8" - }, - "ds_UIfFJptm": { - "type": "ds.search", - "options": { - "query": "wazuh-alerts-4.x-sample | stats count", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_9" - }, - "ds_z3i8WcOf": { - "type": "ds.search", - "options": { - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - }, - "query": "wazuh-alerts-4.x-sample rule.groups=\"authentication_failures\" | stats count by rule.groups" - }, - "name": "Search_10" - } - }, - "defaults": { - "dataSources": { - "ds.search": { - "options": { - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - } - } - } - }, - "inputs": { - "input_global_trp": { - "type": "input.timerange", - "options": { - "token": "global_time", - "defaultValue": "-60m@m,now" - }, - "title": "Global Time Range" - } - }, - "layout": { - "type": "grid", - "options": {}, - "structure": [ - { - "item": "viz_qYCIuSjF", - "type": "block", - "position": { - "x": 0, - "y": 0, - "w": 291, - "h": 137 - } - }, - { - "item": "viz_oAPKLE0R", - "type": "block", - "position": { - "x": 0, - "y": 137, - "w": 731, - "h": 326 - } - }, - { - "item": "viz_Y07WmZ1b", - "type": "block", - "position": { - "x": 0, - "y": 463, - "w": 1200, - "h": 400 - } - }, - { - "item": "viz_aTlMnG7A", - "type": "block", - "position": { - "x": 291, - "y": 0, - "w": 286, - "h": 137 - } - }, - { - "item": "viz_R8LMR6U6", - "type": "block", - "position": { - "x": 577, - "y": 0, - "w": 301, - "h": 137 - } - }, - { - "item": "viz_DI7fpctI", - "type": "block", - "position": { - "x": 731, - "y": 137, - "w": 469, - "h": 326 - } - }, - { - "item": "viz_nDMI4ZGW", - "type": "block", - "position": { - "x": 878, - "y": 0, - "w": 322, - "h": 137 - } - } - ], - "globalInputs": [ - "input_global_trp" - ] - }, - "description": "", - "title": "wazuh-security-events-v1.0" -} diff --git a/integrations/splunk/wazuh-vulnerabilities b/integrations/splunk/wazuh-vulnerabilities deleted file mode 100644 index a46023455e789..0000000000000 --- a/integrations/splunk/wazuh-vulnerabilities +++ /dev/null @@ -1,257 +0,0 @@ -{ - "visualizations": { - "viz_XlLyYDmC": { - "type": "splunk.area", - "dataSources": { - "primary": "ds_DljIxEDR" - }, - "options": { - "stackMode": "stacked", - "xAxisTitleText": "timestamp", - "yAxisTitleText": "count" - }, - "title": "Alert severity" - }, - "viz_qzFw5Wx7": { - "type": "splunk.table", - "options": {}, - "dataSources": { - "primary": "ds_Irx4cEkl" - } - }, - "viz_3V3AvVY4": { - "type": "splunk.singlevalueradial", - "dataSources": { - "primary": "ds_oyvgAG73" - }, - "title": "Critical Severity Alerts", - "options": { - "majorColor": "#db566f" - } - }, - "viz_cmEIbZ9q": { - "type": "splunk.singlevalueradial", - "dataSources": { - "primary": "ds_TVyYlSRA" - }, - "title": "Hight Severity Alerts", - "options": { - "majorColor": "#0258a1" - } - }, - "viz_4QSVuglC": { - "type": "splunk.singlevalueradial", - "dataSources": { - "primary": "ds_D0hAYmXA" - }, - "title": "Medium Severity Alerts", - "options": { - "majorColor": "#007d73" - } - }, - "viz_VI9ZdnSO": { - "type": "splunk.singlevalueradial", - "dataSources": { - "primary": "ds_1KrtDz29" - }, - "title": "Low Severity Alerts", - "options": { - "majorColor": "#232323" - } - } - }, - "dataSources": { - "ds_DljIxEDR": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" | timechart count by data.vulnerability.severity useother=false usenull=false", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_1" - }, - "ds_31leL1fM": { - "type": "ds.search", - "options": { - "query": "wazuh-alerts-4.x-sample | timechart count by data.vulnerability.severity", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_2" - }, - "ds_jymjmvtF": { - "type": "ds.search", - "options": { - "query": "wazuh-alerts-4.x-sample | timechart count by data.vulnerability.severity", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_3" - }, - "ds_jEwqnxee": { - "type": "ds.search", - "options": { - "query": "wazuh-alerts-4.x-sample | timechart count by data.vulnerability.severity", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_4" - }, - "ds_Irx4cEkl": { - "type": "ds.search", - "options": { - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - }, - "query": "index=\"wazuh-alerts\" \"agent.name\"=\"*\", \"data.vulnerability.cve\"=\"*\", \"data.vulnerability.package.name\"=\"*\", \"data.vulnerability.package.version\"=\"*\", \"data.vulnerability.severity\"=\"*\", \"rule.id\"=\"*\" | table _time, agent.name, data.vulnerability.cve, data.vulnerability.package.name, data.vulnerability.package.version, data.vulnerability.severity, rule.id\n\n" - }, - "name": "Search_5" - }, - "ds_oyvgAG73": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"data.vulnerability.severity\"=\"Critical\" | stats count by \"data.vulnerability.severity\"", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_6" - }, - "ds_TVyYlSRA": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"data.vulnerability.severity\"=\"High\" | stats count by \"data.vulnerability.severity\"", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_7" - }, - "ds_D0hAYmXA": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"data.vulnerability.severity\"=\"Medium\" | stats count by \"data.vulnerability.severity\"", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_8" - }, - "ds_1KrtDz29": { - "type": "ds.search", - "options": { - "query": "index=\"wazuh-alerts\" \"data.vulnerability.severity\"=\"Low\" | stats count by \"data.vulnerability.severity\"", - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - }, - "name": "Search_9" - } - }, - "defaults": { - "dataSources": { - "ds.search": { - "options": { - "queryParameters": { - "latest": "$global_time.latest$", - "earliest": "$global_time.earliest$" - } - } - } - } - }, - "inputs": { - "input_global_trp": { - "type": "input.timerange", - "options": { - "token": "global_time", - "defaultValue": "-60m@m,now" - }, - "title": "Global Time Range" - } - }, - "layout": { - "type": "grid", - "options": {}, - "structure": [ - { - "item": "viz_3V3AvVY4", - "type": "block", - "position": { - "x": 0, - "y": 0, - "w": 279, - "h": 131 - } - }, - { - "item": "viz_XlLyYDmC", - "type": "block", - "position": { - "x": 0, - "y": 131, - "w": 1200, - "h": 284 - } - }, - { - "item": "viz_qzFw5Wx7", - "type": "block", - "position": { - "x": 0, - "y": 415, - "w": 1200, - "h": 251 - } - }, - { - "item": "viz_cmEIbZ9q", - "type": "block", - "position": { - "x": 279, - "y": 0, - "w": 293, - "h": 131 - } - }, - { - "item": "viz_4QSVuglC", - "type": "block", - "position": { - "x": 572, - "y": 0, - "w": 309, - "h": 131 - } - }, - { - "item": "viz_VI9ZdnSO", - "type": "block", - "position": { - "x": 881, - "y": 0, - "w": 319, - "h": 131 - } - } - ], - "globalInputs": [ - "input_global_trp" - ] - }, - "description": "", - "title": "wazuh-vulnerabilities-v1.0" -} diff --git a/integrations/tools/events-generator/.dockerignore b/integrations/tools/events-generator/.dockerignore deleted file mode 100644 index 0f028b576338e..0000000000000 --- a/integrations/tools/events-generator/.dockerignore +++ /dev/null @@ -1,2 +0,0 @@ -.venv -Dockerfile \ No newline at end of file diff --git a/integrations/tools/events-generator/.gitignore b/integrations/tools/events-generator/.gitignore deleted file mode 100644 index b694934fbf9b4..0000000000000 --- a/integrations/tools/events-generator/.gitignore +++ /dev/null @@ -1 +0,0 @@ -.venv \ No newline at end of file diff --git a/integrations/tools/events-generator/Dockerfile b/integrations/tools/events-generator/Dockerfile deleted file mode 100644 index da32f8c042017..0000000000000 --- a/integrations/tools/events-generator/Dockerfile +++ /dev/null @@ -1,4 +0,0 @@ -FROM python:3.9 -COPY . /home/events-generator/ -WORKDIR /home/events-generator -RUN pip install -r requirements.txt \ No newline at end of file diff --git a/integrations/tools/events-generator/README.md b/integrations/tools/events-generator/README.md deleted file mode 100644 index ac43631d9e2e1..0000000000000 --- a/integrations/tools/events-generator/README.md +++ /dev/null @@ -1,52 +0,0 @@ -### Events generator tool - -This python tool provides functionality to generate and index sample events for Wazuh's indices. - -#### Getting started - -Create a virtual environment to install the dependencies of the project. - -```console -python -m venv .venv -source .venv/bin/activate -pip install -r requirements.txt -``` - -Start the events' generator with `./run.py` or `python run.py`. The program takes no required -arguments, as it's configured with default values that will work in most cases during development. -To know more about its capabilities and arguments, display the help menu with `-h`. - -As for now, this tool generates events for the `wazuh-alerts-4.x-*` and `wazuh-archives-4.x-*` indices. -You may also need to create an **index pattern** in _dashboards_ in order to perform -queries to the index from the UI. To do that, go to Dashboards Management > Index Patterns > Create index pattern > wazuh-alerts-4.x-* > timestamp as Time field - -Newer indices, like `wazuh-states-vulnerabilities`, are ECS compliant and use a dedicated events' generator. -You can find it in the [ecs](../../../ecs/) folder. - - -```console -python run.py -o indexer -c 5 -t 1 -INFO:event_generator:Inventory created -INFO:event_generator:Publisher created -INFO:event_generator:Event created -{'_index': 'wazuh-alerts-4.x-2024.02.13-000001', '_id': 'dRWno40BZRXLJU5t0u6Z', '_version': 1, 'result': 'created', '_shards': {'total': 2, 'successful': 2, 'failed': 0}, '_seq_no': 168, '_primary_term': 1} -INFO:event_generator:Event created -{'_index': 'wazuh-alerts-4.x-2024.02.13-000001', '_id': 'dhWno40BZRXLJU5t1u6Y', '_version': 1, 'result': 'created', '_shards': {'total': 2, 'successful': 2, 'failed': 0}, '_seq_no': 169, '_primary_term': 1} -INFO:event_generator:Event created -{'_index': 'wazuh-alerts-4.x-2024.02.13-000001', '_id': 'dxWno40BZRXLJU5t2u6i', '_version': 1, 'result': 'created', '_shards': {'total': 2, 'successful': 2, 'failed': 0}, '_seq_no': 170, '_primary_term': 1} -INFO:event_generator:Event created -{'_index': 'wazuh-alerts-4.x-2024.02.13-000001', '_id': 'eBWno40BZRXLJU5t3u6v', '_version': 1, 'result': 'created', '_shards': {'total': 2, 'successful': 2, 'failed': 0}, '_seq_no': 171, '_primary_term': 1} -INFO:event_generator:Event created -{'_index': 'wazuh-alerts-4.x-2024.02.13-000001', '_id': 'eRWno40BZRXLJU5t4u66', '_version': 1, 'result': 'created', '_shards': {'total': 2, 'successful': 2, 'failed': 0}, '_seq_no': 172, '_primary_term': 1} -``` - -### Building the Docker image - -```console -docker build -t wazuh/indexer-events-generator:latest . -``` - -Run with: -```console -docker run -it --name=wazuh-indexer-events-generator --rm wazuh/indexer-events-generator python run.py -h -``` \ No newline at end of file diff --git a/integrations/tools/events-generator/requirements.txt b/integrations/tools/events-generator/requirements.txt deleted file mode 100644 index 37912b81ef184..0000000000000 --- a/integrations/tools/events-generator/requirements.txt +++ /dev/null @@ -1 +0,0 @@ -requests>=2.31.0 \ No newline at end of file diff --git a/integrations/tools/events-generator/run.py b/integrations/tools/events-generator/run.py deleted file mode 100644 index 8ecf69ada95ad..0000000000000 --- a/integrations/tools/events-generator/run.py +++ /dev/null @@ -1,205 +0,0 @@ -#!/usr/bin/python3 - -# Events generator tool for Wazuh's indices. -# Chooses a random element from /alerts.json to index -# Required. Destination of the events. Default: indexer. -# -c: Number of elements to push. Use 0 to run indefinitely. Default: 0 -# -i: index name prefix or module (e.g: wazuh-alerts, wazuh-states-vulnerabilities) -# -t: interval between events in seconds. Default: 5 -# when output is "indexer", the following parameters can be provided: -# -a: indexer's API IP address or hostname. -# -P: indexer's API port number. -# -u: username -# -p: password - - -from abc import ABC, abstractmethod -import argparse -import datetime -import logging -import random -import requests -import time -import json -import urllib3 -# import OpenSearch.opensearchpy - -logging.basicConfig(level=logging.NOTSET) -# Combination to supress certificates validation warning when verify=False -# https://github.com/influxdata/influxdb-python/issues/240#issuecomment-341313420 -logging.getLogger("urllib3").setLevel(logging.ERROR) -urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) - -logger = logging.getLogger("event_generator") - -# ================================================== # - - -class Inventory: - def __init__(self, path: str): - with open(path, "r") as fd: - self.elements = fd.readlines() - self.size = len(self.elements) - - def get_random(self) -> str: - """ - Returns the last element of the list - """ - random.shuffle(self.elements) - return self.elements[self.size-1] - -# ================================================== # - - -class Publisher(ABC): - @abstractmethod - def publish(self, event: str): - pass - -# ================================================== # - - -class PublisherClient(Publisher): - def __init__(self): - # self.client = OpenSearch( - # hosts... - # ) - pass - -# ================================================== # - - -class PublisherHttp(Publisher): - def __init__(self, address: str, port: int, path: str, user: str, password: str): - super() - self.address = address - self.port = port - self.path = path - self.username = user - self.password = password - - def url(self) -> str: - return f"https://{self.address}:{self.port}/{self.path}/_doc" - - def publish(self, event: str): - try: - result = requests.post( - self.url(), - auth=(self.username, self.password), - json=json.loads(event), - verify=False - ) - print(result.json()) - except json.JSONDecodeError as e: - logger.error("Error encoding event " + - event + "\n Caused by: " + e.msg) - -# ================================================== # - - -class PublisherCreator: - @staticmethod - def create(publisher: str, args) -> Publisher: - if publisher == "indexer": - address = args["address"] - port = args["port"] - path = args["index"] - username = args["username"] - password = args["password"] - - return PublisherHttp(address, port, path, username, password) - else: - raise ValueError("Unsupported publisher type") - -# ================================================== # - - -def date_now() -> str: - return datetime.datetime.now(datetime.timezone.utc).strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3]+'+0000' - -# ================================================== # - - -def parse_args(): - parser = argparse.ArgumentParser( - description="Events generator tool for Wazuh's indices. Indexes a random element from /alerts.json", - ) - parser.add_argument( - '-i', '--index', - default="wazuh-alerts-4.x-sample", - help="Destination index name or alias" - ) - parser.add_argument( - '-o', '--output', - choices=['indexer'], - default="indexer", - help="Destination of the events. Default: indexer." - ) - parser.add_argument( - '-m', '--module', - default="wazuh-alerts", - help="Wazuh module to read the alerts from (e.g: wazuh-alerts, wazuh-states-vulnerabilities). Must match a subfolder's name." - ) - # Infinite loop by default - parser.add_argument( - '-c', '--count', - default=0, - type=int, - help="Number of elements to push. Use 0 to run indefinitely. Default: 0" - ) - # Interval of time between events - parser.add_argument( - '-t', '--time', - default=5, - type=int, - help="Interval between events in seconds. Default: 5" - ) - parser.add_argument( - '-a', '--address', - default="localhost", - help="Indexer's API IP address or hostname." - ) - parser.add_argument( - '-P', '--port', - default=9200, - type=int, - help="Indexer's API port number." - ) - parser.add_argument( - '-u', '--username', - default="admin", - help="Indexer's username" - ) - parser.add_argument( - '-p', '--password', - default="admin", - help="Indexer's password" - ) - return parser.parse_args() - - -# ================================================== # - - -def main(args: dict): - inventory = Inventory(f"{args['module']}/alerts.json") - logger.info("Inventory created") - publisher = PublisherCreator.create(args["output"], args) - logger.info("Publisher created") - - count = 0 - max_iter = args["count"] - time_interval = args["time"] - while (count < max_iter or max_iter == 0): - chosen = inventory.get_random().replace("{timestamp}", date_now()) - logger.info("Event created") - publisher.publish(chosen) - - time.sleep(time_interval) - count += 1 - -# ================================================== # - - -if __name__ == '__main__': - main(vars(parse_args())) diff --git a/integrations/tools/events-generator/wazuh-alerts/alerts.json b/integrations/tools/events-generator/wazuh-alerts/alerts.json deleted file mode 100644 index d3aea442be327..0000000000000 --- a/integrations/tools/events-generator/wazuh-alerts/alerts.json +++ /dev/null @@ -1,1124 +0,0 @@ -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/log/lastlog","uname_after":"root","gname_after":"root","mtime_after":"2023-03-07T17:52:50.390Z","size_after":38,"uid_after":"S-1-5-18","gid_after":"22","perm_after":"rw-r--r--","inode_after":23315}} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"Integrity checksum changed.","groups":["wazuh","syscheck"],"id":"550","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"modified","path":"/etc/sysconfig/network-scripts/ifcfg-eth1","uname_after":"suricata","gname_after":"root","mtime_after":"2023-03-06T00:27:33.061Z","size_after":18,"uid_after":"S-1-5-32-544","gid_after":"994","perm_after":"rw-r--r--","inode_after":25973,"mtime_before":"2023-03-06T00:26:33.061Z","inode_before":81839,"sha1_after":"42b103c8ccf0f552e931159fdccf2072f1444842","changed_attributes":["sha1"],"md5_after":"896a6493ad8dd456f9a9d919d9c74a5e","sha256_after":"6cadaacded787afb101f14c9b404daed8c8800f19199a31024ce91ea1f26"}} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/var/wazuh/queue/fim/db/fim.db","uname_after":"Administrators","gname_after":"root","mtime_after":"2023-03-03T06:38:30.327Z","size_after":46,"uid_after":"S-1-5-18","gid_after":"994","perm_after":"rw-r--r--","inode_after":27089}} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":5,"pci_dss":["11.5"],"hipaa":["164.312.c.1","164.312.c.2"],"description":"File added to the system.","groups":["wazuh","syscheck"],"id":"554","nist_800_53":["SI.7"],"gpg13":["4.11"],"gdpr":["II_5.1.f"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{},"location":"","syscheck":{"event":"added","path":"/etc/elasticsearch/elasticsearch.yml","uname_after":"ec2-user","gname_after":"root","mtime_after":"2023-03-06T15:35:43.101Z","size_after":47,"uid_after":"S-1-5-32-544","gid_after":"993","perm_after":"rw-r--r--","inode_after":94411}} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/dev/.pizda'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'tmp/.cheese'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'tmp/.cheese'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.b'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.b'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/lib/libt'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/.lpstree'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/bin/.lpstree'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'usr/X11R6/.zk/xfs'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'TRK' detected by the presence of file '/usr/bin/sourcemask'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.font-unix/.cinik'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.font-unix/.cinik'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Showtee' detected by the presence of file '/usr/lib/.kinetic'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldlibps.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldlibps.so'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/chsh2'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/usr/lib/libpikapp.a'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/usr/lib/ldliblogin.so'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/bin/.login'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/bin/volc'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/usr/bin/adore'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'LDP' detected by the presence of file '/dev/.kork'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'tmp/.cheese'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'tmp/.cheese'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/netstat","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/netstat' detected. Signature used: 'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr.h' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/pidof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/pidof' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^f]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Bash' detected by the presence of file '/tmp/mcliZokhb'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Ramen' detected by the presence of file '/tmp/ramen.tgz'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq.c'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Slapper' detected by the presence of file '/tmp/.bugtraq.c'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Knark' detected by the presence of file '/proc/knark'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Monkit' detected by the presence of file '/lib/defs'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":3,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/find","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/find' detected. Signature used: 'bash|/dev/[^tnlcs]|/prof|/home/virus|file.h' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/tcpdump","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^bu]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":5,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/fuser","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/fuser' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[a-dtz]|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/grep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/grep' detected. Signature used: 'bash|givemer' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/egrep","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/|^/bin/.*sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/lsof","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/lsof' detected. Signature used: '/prof|/dev/[^apcmnfk]|proc.h|bash|^/bin/sh|/dev/ttyo|/dev/ttyp' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":8,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":4,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Omega' detected by the presence of file '/dev/chr'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/top","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/top' detected. Signature used: '/dev/[^npi3st%]|proc.h|/prof/' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/w","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/w' detected. Signature used: 'uname -a|proc.h|bash' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":6,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"file":"/usr/bin/ps","title":"Trojaned version of file detected."},"location":"rootcheck","input":{"type":"log"},"full_log":"Trojaned version of file '/usr/bin/ps' detected. Signature used: '/dev/ttyo|.1proc|proc.h|bash|^/bin/sh' (Generic)."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Adore' detected by the presence of file '/dev/.shit/red.tgz'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":7,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'ZK' detected by the presence of file 'etc/1ssue.net'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":2,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'RSHA' detected by the presence of file 'usr/bin/n3tstat'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":9,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Rh-Sharpe' detected by the presence of file '/usr/bin/.ps'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":10,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Suspicious' detected by the presence of file 'lib/.so'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Suspicious' detected by the presence of file 'lib/.so'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"firedtimes":1,"mail":false,"level":7,"description":"Host-based anomaly detection event (rootcheck).","groups":["wazuh","rootcheck"],"id":"510","gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"rootcheck"},"data":{"title":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."},"location":"rootcheck","input":{"type":"log"},"full_log":"Rootkit 'Volc' detected by the presence of file '/usr/lib/volc'."} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":16,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/consoletype","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/sbin/consoletype"},"exe":"/usr/sbin/consoletype","command":"consoletype","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":3,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ssh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sshd","command":"ssh","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":11,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/id","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/id"},"exe":"/usr/sbin/id","command":"id","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/bash","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/bin/bash"},"exe":"/usr/sbin/bash","command":"bash","success":"yes","cwd":"/home/wazuh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/grep","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/grep"},"exe":"/usr/sbin/grep","command":"grep","success":"yes","cwd":"/home/wazuh","type":"EXECVE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80790","firedtimes":17,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sh","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/sh"},"exe":"/usr/sbin/sh","command":"sh","success":"yes","cwd":"/home/sh","type":"PATH"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":6,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/ls","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/samplefile"},"exe":"/usr/sbin/ls","command":"ls","success":"yes","cwd":"/home/wazuh","type":"PROCTITLE"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":12,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/sudo","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/var/sample"},"exe":"/usr/sbin/sudo","command":"sudo","success":"yes","cwd":"/home/wazuh","type":"CWD"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80784","firedtimes":13,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/hostname","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/usr/bin/hostname"},"exe":"/usr/sbin/hostname","command":"hostname","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"id":"80791","firedtimes":1,"mail":false,"level":3,"description":"Audit: Command: /usr/sbin/crond","groups":["audit","audit_command"],"gdpr":["IV_30.1.g"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"audit":{"file":{"name":"/etc/sample/file"},"exe":"/usr/sbin/crond","command":"cron","success":"yes","cwd":"/home/wazuh","type":"NORMAL"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 5","id":"4598","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":57,"rule_title":"CIS-CAT 6","notchecked":1,"score":14,"pass":11,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":98,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 4","id":"4044","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":95,"rule_title":"CIS-CAT 6","notchecked":3,"score":23,"pass":6,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":12,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 3","id":"3932","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":51,"rule_title":"CIS-CAT 2","notchecked":4,"score":72,"pass":39,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":60,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 4","id":"1379","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":100,"rule_title":"CIS-CAT 5","notchecked":2,"score":5,"pass":86,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":9,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 4","id":"4454","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":0,"rule_title":"CIS-CAT 6","notchecked":4,"score":3,"pass":19,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":65,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 2","id":"3476","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":0,"rule_title":"CIS-CAT 3","notchecked":0,"score":62,"pass":70,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":75,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":1,"description":"Sample alert 4","id":"1453","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":46,"rule_title":"CIS-CAT 4","notchecked":3,"score":84,"pass":19,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":12,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 5","id":"1418","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":70,"rule_title":"CIS-CAT 3","notchecked":2,"score":74,"pass":41,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":90,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":6,"description":"Sample alert 2","id":"2726","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":80,"rule_title":"CIS-CAT 3","notchecked":4,"score":1,"pass":66,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":10,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 1","id":"4746","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":46,"rule_title":"CIS-CAT 2","notchecked":1,"score":55,"pass":84,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":78,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 5","id":"457","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":15,"rule_title":"CIS-CAT 1","notchecked":5,"score":42,"pass":85,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":27,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 2","id":"3248","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":79,"rule_title":"CIS-CAT 3","notchecked":2,"score":82,"pass":44,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":18,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 4","id":"5382","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":4,"rule_title":"CIS-CAT 4","notchecked":4,"score":31,"pass":12,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":14,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 3","id":"4840","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":66,"rule_title":"CIS-CAT 3","notchecked":2,"score":58,"pass":29,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":77,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 3","id":"4569","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":78,"rule_title":"CIS-CAT 6","notchecked":1,"score":79,"pass":1,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":20,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 1","id":"809","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":21,"rule_title":"CIS-CAT 1","notchecked":3,"score":76,"pass":13,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":47,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 4","id":"2098","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":16,"rule_title":"CIS-CAT 3","notchecked":1,"score":41,"pass":66,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":16,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 3","id":"2011","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":72,"rule_title":"CIS-CAT 1","notchecked":4,"score":59,"pass":67,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":7,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 5","id":"4506","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":12,"rule_title":"CIS-CAT 4","notchecked":1,"score":99,"pass":38,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":49,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 4","id":"1888","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":50,"rule_title":"CIS-CAT 4","notchecked":2,"score":87,"pass":17,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 5","id":"1059","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":94,"rule_title":"CIS-CAT 3","notchecked":3,"score":98,"pass":41,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":58,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 4","id":"531","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":96,"rule_title":"CIS-CAT 6","notchecked":3,"score":8,"pass":97,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 1","id":"986","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":39,"rule_title":"CIS-CAT 6","notchecked":4,"score":51,"pass":96,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 5","id":"3810","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":66,"rule_title":"CIS-CAT 1","notchecked":3,"score":84,"pass":91,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 1","id":"3495","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":74,"rule_title":"CIS-CAT 6","notchecked":0,"score":34,"pass":53,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":8,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 1","id":"116","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":99,"rule_title":"CIS-CAT 4","notchecked":1,"score":46,"pass":28,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":14,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 3","id":"3857","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":19,"rule_title":"CIS-CAT 3","notchecked":0,"score":7,"pass":27,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":88,"result":"unknown"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":1,"description":"Sample alert 2","id":"86","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":2,"rule_title":"CIS-CAT 4","notchecked":1,"score":30,"pass":41,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":11,"description":"Sample alert 3","id":"730","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":18,"rule_title":"CIS-CAT 5","notchecked":1,"score":60,"pass":75,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":77,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":6,"description":"Sample alert 2","id":"5482","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":16,"rule_title":"CIS-CAT 3","notchecked":1,"score":60,"pass":93,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 5","id":"5587","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":67,"rule_title":"CIS-CAT 3","notchecked":5,"score":7,"pass":48,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":97,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 2","id":"2761","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":92,"rule_title":"CIS-CAT 3","notchecked":3,"score":25,"pass":36,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":11,"description":"Sample alert 4","id":"3750","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":67,"rule_title":"CIS-CAT 6","notchecked":4,"score":44,"pass":73,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":3,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 4","id":"4685","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":2,"rule_title":"CIS-CAT 4","notchecked":3,"score":32,"pass":44,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":34,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 3","id":"1858","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":40,"rule_title":"CIS-CAT 4","notchecked":0,"score":98,"pass":12,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":62,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 1","id":"1740","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":0,"rule_title":"CIS-CAT 5","notchecked":1,"score":79,"pass":52,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":61,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 5","id":"4761","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":88,"rule_title":"CIS-CAT 1","notchecked":2,"score":8,"pass":58,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":21,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":11,"description":"Sample alert 5","id":"3621","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":9,"rule_title":"CIS-CAT 2","notchecked":5,"score":76,"pass":86,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":55,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 5","id":"5004","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":83,"rule_title":"CIS-CAT 5","notchecked":0,"score":45,"pass":34,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":17,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 3","id":"3909","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":91,"rule_title":"CIS-CAT 5","notchecked":3,"score":12,"pass":45,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":86,"result":"unknown"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 1","id":"940","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":57,"rule_title":"CIS-CAT 4","notchecked":1,"score":20,"pass":49,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":83,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 5","id":"5026","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":48,"rule_title":"CIS-CAT 6","notchecked":1,"score":5,"pass":46,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":6,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 4","id":"2301","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":68,"rule_title":"CIS-CAT 1","notchecked":5,"score":89,"pass":81,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":40,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 5","id":"4721","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":76,"rule_title":"CIS-CAT 1","notchecked":0,"score":13,"pass":59,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":23,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 2","id":"939","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":7,"rule_title":"CIS-CAT 1","notchecked":5,"score":5,"pass":76,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":55,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":1,"description":"Sample alert 1","id":"3683","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":55,"rule_title":"CIS-CAT 1","notchecked":1,"score":32,"pass":77,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":99,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 4","id":"4425","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":70,"rule_title":"CIS-CAT 5","notchecked":5,"score":68,"pass":60,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":96,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 5","id":"4845","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":87,"rule_title":"CIS-CAT 4","notchecked":1,"score":31,"pass":42,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":3,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 5","id":"4602","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":99,"rule_title":"CIS-CAT 2","notchecked":3,"score":17,"pass":25,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 2","id":"5863","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":1,"rule_title":"CIS-CAT 6","notchecked":3,"score":2,"pass":44,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":90,"result":"unknown"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 5","id":"3899","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":12,"rule_title":"CIS-CAT 2","notchecked":1,"score":68,"pass":60,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":88,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 3","id":"5802","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":68,"rule_title":"CIS-CAT 4","notchecked":3,"score":8,"pass":76,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":52,"result":"unknown"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 5","id":"2553","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":31,"rule_title":"CIS-CAT 5","notchecked":1,"score":71,"pass":74,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":96,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 3","id":"5515","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":67,"rule_title":"CIS-CAT 1","notchecked":4,"score":91,"pass":21,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":12,"result":"unknown"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 2","id":"3519","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":20,"rule_title":"CIS-CAT 6","notchecked":2,"score":62,"pass":79,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":42,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 4","id":"4891","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":46,"rule_title":"CIS-CAT 3","notchecked":3,"score":9,"pass":41,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":57,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 5","id":"4265","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":20,"rule_title":"CIS-CAT 2","notchecked":3,"score":48,"pass":12,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":45,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 2","id":"5205","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":98,"rule_title":"CIS-CAT 6","notchecked":1,"score":97,"pass":63,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":60,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 5","id":"507","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":58,"rule_title":"CIS-CAT 5","notchecked":0,"score":0,"pass":14,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":21,"result":"unknown"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 1","id":"3796","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":7,"rule_title":"CIS-CAT 6","notchecked":5,"score":18,"pass":11,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":46,"result":"unknown"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 4","id":"5794","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":20,"rule_title":"CIS-CAT 5","notchecked":3,"score":60,"pass":63,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":55,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":6,"description":"Sample alert 4","id":"188","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":6,"rule_title":"CIS-CAT 4","notchecked":0,"score":2,"pass":92,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":14,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 3","id":"2333","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":65,"rule_title":"CIS-CAT 3","notchecked":0,"score":49,"pass":25,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":78,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 5","id":"2835","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":94,"rule_title":"CIS-CAT 3","notchecked":1,"score":53,"pass":41,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":23,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":6,"description":"Sample alert 3","id":"5915","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":99,"rule_title":"CIS-CAT 1","notchecked":2,"score":36,"pass":38,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":60,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 5","id":"5311","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":58,"rule_title":"CIS-CAT 3","notchecked":4,"score":29,"pass":17,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":28,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 5","id":"4972","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":44,"rule_title":"CIS-CAT 3","notchecked":3,"score":27,"pass":23,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":18,"result":"unknown"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 4","id":"3913","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":71,"rule_title":"CIS-CAT 6","notchecked":2,"score":22,"pass":77,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":75,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 4","id":"3530","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":2,"rule_title":"CIS-CAT 1","notchecked":0,"score":22,"pass":64,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":11,"result":"unknown"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 1","id":"434","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":30,"rule_title":"CIS-CAT 1","notchecked":2,"score":65,"pass":55,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":24,"result":"unknown"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 2","id":"684","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":68,"rule_title":"CIS-CAT 2","notchecked":0,"score":11,"pass":26,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":77,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 4","id":"2819","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":23,"rule_title":"CIS-CAT 1","notchecked":1,"score":49,"pass":13,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":11,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 2","id":"702","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":44,"rule_title":"CIS-CAT 4","notchecked":5,"score":37,"pass":63,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":89,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 5","id":"1839","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":81,"rule_title":"CIS-CAT 6","notchecked":2,"score":2,"pass":1,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 4","id":"1899","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":85,"rule_title":"CIS-CAT 2","notchecked":1,"score":20,"pass":59,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":84,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 2","id":"2808","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":85,"rule_title":"CIS-CAT 2","notchecked":5,"score":46,"pass":31,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":10,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":2,"description":"Sample alert 5","id":"2840","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":97,"rule_title":"CIS-CAT 5","notchecked":3,"score":34,"pass":35,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":43,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 3","id":"5978","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":38,"rule_title":"CIS-CAT 1","notchecked":5,"score":58,"pass":71,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":85,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 5","id":"3237","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":88,"rule_title":"CIS-CAT 5","notchecked":1,"score":66,"pass":52,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":1,"description":"Sample alert 4","id":"2993","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":52,"rule_title":"CIS-CAT 1","notchecked":2,"score":25,"pass":68,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":76,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 5","id":"2141","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":67,"rule_title":"CIS-CAT 5","notchecked":4,"score":95,"pass":78,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":69,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 3","id":"5805","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":65,"rule_title":"CIS-CAT 1","notchecked":4,"score":44,"pass":36,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":91,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 2","id":"5561","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":76,"rule_title":"CIS-CAT 3","notchecked":4,"score":85,"pass":28,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":35,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 1","id":"2087","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":75,"rule_title":"CIS-CAT 6","notchecked":4,"score":54,"pass":58,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":4,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 2","id":"3402","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":11,"rule_title":"CIS-CAT 5","notchecked":5,"score":64,"pass":20,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":64,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 3","id":"5032","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":37,"rule_title":"CIS-CAT 4","notchecked":4,"score":0,"pass":11,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":70,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 2","id":"2352","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":87,"rule_title":"CIS-CAT 3","notchecked":3,"score":65,"pass":74,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":7,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 4","id":"5484","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":59,"rule_title":"CIS-CAT 5","notchecked":3,"score":65,"pass":26,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":79,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 3","id":"4635","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":28,"rule_title":"CIS-CAT 2","notchecked":5,"score":58,"pass":8,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":97,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 4","id":"426","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":62,"rule_title":"CIS-CAT 3","notchecked":5,"score":23,"pass":83,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":15,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":1,"description":"Sample alert 5","id":"1567","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":26,"rule_title":"CIS-CAT 6","notchecked":4,"score":29,"pass":54,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":88,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 5","id":"3333","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":49,"rule_title":"CIS-CAT 2","notchecked":0,"score":51,"pass":2,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":41,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 3","id":"3284","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":48,"rule_title":"CIS-CAT 5","notchecked":4,"score":18,"pass":87,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":33,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 3","id":"2626","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":89,"rule_title":"CIS-CAT 1","notchecked":4,"score":53,"pass":62,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":54,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 2","id":"422","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":84,"rule_title":"CIS-CAT 6","notchecked":4,"score":99,"pass":82,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":60,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 4","id":"112","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":41,"rule_title":"CIS-CAT 4","notchecked":2,"score":16,"pass":92,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":96,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"Sample alert 2","id":"5565","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":91,"rule_title":"CIS-CAT 6","notchecked":2,"score":33,"pass":77,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":32,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 2","id":"2565","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":26,"rule_title":"CIS-CAT 4","notchecked":0,"score":96,"pass":30,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":4,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 1","id":"3334","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":71,"rule_title":"CIS-CAT 1","notchecked":5,"score":98,"pass":34,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":48,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 2","id":"5080","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":65,"rule_title":"CIS-CAT 4","notchecked":3,"score":83,"pass":52,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":98,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 2","id":"2309","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":70,"rule_title":"CIS-CAT 4","notchecked":3,"score":31,"pass":52,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":78,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":12,"description":"Sample alert 4","id":"4820","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":6,"rule_title":"CIS-CAT 6","notchecked":2,"score":0,"pass":7,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":36,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"Sample alert 5","id":"5126","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":3,"rule_title":"CIS-CAT 2","notchecked":1,"score":19,"pass":83,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":5,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 2","id":"5305","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":99,"rule_title":"CIS-CAT 1","notchecked":0,"score":0,"pass":20,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":46,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":3,"description":"Sample alert 2","id":"925","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":43,"rule_title":"CIS-CAT 6","notchecked":1,"score":75,"pass":28,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":52,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":6,"description":"Sample alert 2","id":"277","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":86,"rule_title":"CIS-CAT 3","notchecked":5,"score":84,"pass":54,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":63,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 2","id":"77","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":10,"rule_title":"CIS-CAT 2","notchecked":1,"score":46,"pass":37,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":35,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":8,"description":"Sample alert 2","id":"1151","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":93,"rule_title":"CIS-CAT 3","notchecked":3,"score":13,"pass":42,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":68,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":4,"description":"Sample alert 2","id":"3752","mail":false,"groups":["ciscat"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":55,"rule_title":"CIS-CAT 4","notchecked":3,"score":54,"pass":20,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":62,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 3","id":"2291","mail":false,"groups":["ciscat"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":23,"rule_title":"CIS-CAT 5","notchecked":1,"score":95,"pass":68,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":97,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 4","id":"2466","mail":false,"groups":["ciscat"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":89,"rule_title":"CIS-CAT 6","notchecked":0,"score":42,"pass":25,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":69,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 3","id":"598","mail":false,"groups":["ciscat"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":54,"rule_title":"CIS-CAT 2","notchecked":2,"score":32,"pass":64,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":23,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":9,"description":"Sample alert 5","id":"4816","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":95,"rule_title":"CIS-CAT 6","notchecked":2,"score":11,"pass":98,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":95,"result":"notchecked"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":6,"description":"Sample alert 3","id":"3079","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":30,"rule_title":"CIS-CAT 5","notchecked":1,"score":57,"pass":35,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":33,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":14,"description":"Sample alert 5","id":"4497","mail":false,"groups":["ciscat"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":17,"rule_title":"CIS-CAT 4","notchecked":4,"score":84,"pass":31,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":67,"result":"pass"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"Sample alert 3","id":"5071","mail":false,"groups":["ciscat"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Access, Authentication and Authorization","fail":36,"rule_title":"CIS-CAT 1","notchecked":0,"score":0,"pass":77,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":72,"result":"es"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"Sample alert 5","id":"2703","mail":false,"groups":["ciscat"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{},"data":{"cis":{"group":"Logging and Auditing","fail":90,"rule_title":"CIS-CAT 5","notchecked":3,"score":73,"pass":6,"timestamp":"{timestamp}", "@timestamp":"{timestamp}","benchmark":"CIS Ubuntu Linux 16.04 LTS Benchmark","unknown":6,"result":"fail"}},"location":""} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2015-2987 affects ed","id":"23503","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ed","version":"1.10-2.1","architecture":"amd64","condition":"Package less or equal than 3.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.600000"}},"cve":"CVE-2015-2987","title":"Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.","severity":"Low","published":"2015-08-28","updated":"2015-08-31","state":"Fixed","cwe_reference":"CWE-17","references":["http://jvn.jp/en/jp/JVN91474878/index.html","http://jvndb.jvn.jp/jvndb/JVNDB-2015-000119","http://type74.org/edman5-1.php","http://type74org.blog14.fc2.com/blog-entry-1384.html","https://nvd.nist.gov/vuln/detail/CVE-2015-2987"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2020-8631 affects grub-legacy-ec2","id":"23503","firedtimes":32,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"grub-legacy-ec2","source":"cloud-init","version":"19.4-33-gbb4131a2-0ubuntu1~16.04.1","architecture":"all","condition":"Package less or equal than 19.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"}},"cve":"CVE-2020-8631","title":"CVE-2020-8631 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.","severity":"Low","published":"2020-02-05","updated":"2020-02-21","state":"Fixed","cwe_reference":"CWE-330","references":["http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00042.html","https://bugs.launchpad.net/ubuntu/+source/cloud-init/+bug/1860795","https://github.com/canonical/cloud-init/pull/204","https://lists.debian.org/debian-lts-announce/2020/02/msg00021.html","https://nvd.nist.gov/vuln/detail/CVE-2020-8631","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-8631.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8631"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-utils","id":"23504","firedtimes":193,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-utils","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-7738 affects mount","id":"23505","firedtimes":128,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"mount","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-20482 affects tar","id":"23504","firedtimes":88,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"tar","version":"1.29b-2ubuntu0.1","architecture":"amd64","condition":"Package less or equal than 1.30"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"4.700000"}},"cve":"CVE-2018-20482","title":"CVE-2018-20482 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage during read access, which allows local users to cause a denial of service (infinite read loop in sparse_dump_region in sparse.c) by modifying a file that is supposed to be archived by a different user's process (e.g., a system backup running as root).","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Fixed","cwe_reference":"CWE-835","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917377","https://bugzilla.redhat.com/show_bug.cgi?id=1662346"],"references":["http://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42ccd1e2377945fd0414eca1a49294bff454","http://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html","http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html","http://www.securityfocus.com/bid/106354","https://lists.debian.org/debian-lts-announce/2018/12/msg00023.html","https://news.ycombinator.com/item?id=18745431","https://security.gentoo.org/glsa/201903-05","https://twitter.com/thatcks/status/1076166645708668928","https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug","https://nvd.nist.gov/vuln/detail/CVE-2018-20482","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20482.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20482"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2017-14988 affects libopenexr22","id":"23504","firedtimes":189,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libopenexr22","source":"openexr","version":"2.2.0-11.1ubuntu1.2","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-14988","title":"** DISPUTED ** Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote attackers to cause a denial of service (excessive memory allocation) via a crafted file that is accessed with the ImfOpenInputFile function in IlmImf/ImfCRgbaFile.cpp. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid.","severity":"Medium","published":"2017-10-03","updated":"2019-09-23","state":"Pending confirmation","cwe_reference":"CWE-400","references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00063.html","https://github.com/openexr/openexr/issues/248","https://nvd.nist.gov/vuln/detail/CVE-2017-14988"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2020-1752 affects libc-bin","id":"23503","firedtimes":12,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2016-7948 affects libxrandr2","id":"23506","firedtimes":84,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7948","title":"CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93373","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7948","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2013-4235 affects passwd","id":"23503","firedtimes":21,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"passwd","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2016-7948 affects libxrandr2","id":"23506","firedtimes":84,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7948","title":"CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93373","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7948","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2015-5191 affects open-vm-tools","id":"23504","firedtimes":396,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"open-vm-tools","version":"2:10.2.0-3~ubuntu0.16.04.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.700000"}},"cve":"CVE-2015-5191","title":"CVE-2015-5191 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"VMware Tools prior to 10.0.9 contains multiple file system races in libDeployPkg, related to the use of hard-coded paths under /tmp. Successful exploitation of this issue may result in a local privilege escalation. CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","severity":"Medium","published":"2017-07-28","updated":"2017-08-08","state":"Unfixed","cwe_reference":"CWE-362","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869633"],"references":["http://www.securityfocus.com/bid/100011","http://www.securitytracker.com/id/1039013","https://www.vmware.com/security/advisories/VMSA-2017-0013.html","https://nvd.nist.gov/vuln/detail/CVE-2015-5191","http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5191.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5191"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17595 affects ncurses-base","id":"23504","firedtimes":222,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ncurses-base","source":"ncurses","version":"6.1-1ubuntu1.18.04","architecture":"all","condition":"Package less than 6.1.20191012"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"partial"},"base_score":"5.800000"}},"cve":"CVE-2019-17595","title":"CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.","severity":"Medium","published":"2019-10-14","updated":"2019-12-23","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2019-17595","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2017-18018 affects coreutils","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"coreutils","version":"8.28-1ubuntu1","architecture":"amd64","condition":"Package less or equal than 8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"high","availability":"none"},"base_score":"4.700000"}},"cve":"CVE-2017-18018","title":"CVE-2017-18018 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.","severity":"Medium","published":"2018-01-04","updated":"2018-01-19","state":"Fixed","cwe_reference":"CWE-362","references":["http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2017-18018","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18018.html","http://www.openwall.com/lists/oss-security/2018/01/04/3","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-bin","id":"23504","firedtimes":191,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-bin","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-20483 affects wget","id":"23505","firedtimes":175,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"wget","version":"1.17.1-1ubuntu1.5","architecture":"amd64","condition":"Package less than 1.20.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.100000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-20483","title":"set_file_metadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information (e.g., credentials contained in the URL) by reading this attribute, as demonstrated by getfattr. This also applies to Referer information in the user.xdg.referrer.url metadata attribute. According to 2016-07-22 in the Wget ChangeLog, user.xdg.origin.url was partially based on the behavior of fwrite_xattr in tool_xattr.c in curl.","severity":"High","published":"2018-12-26","updated":"2019-04-09","state":"Fixed","cwe_reference":"CWE-255","references":["http://git.savannah.gnu.org/cgit/wget.git/tree/NEWS","http://www.securityfocus.com/bid/106358","https://access.redhat.com/errata/RHSA-2019:3701","https://security.gentoo.org/glsa/201903-08","https://security.netapp.com/advisory/ntap-20190321-0002/","https://twitter.com/marcan42/status/1077676739877232640","https://usn.ubuntu.com/3943-1/","https://nvd.nist.gov/vuln/detail/CVE-2018-20483"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2017-12588 affects rsyslog","id":"23506","firedtimes":64,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsyslog","version":"8.16.0-1ubuntu3.1","architecture":"amd64","condition":"Package less or equal than 8.27.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-12588","title":"The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.","severity":"Critical","published":"2017-08-06","updated":"2017-08-14","state":"Fixed","cwe_reference":"CWE-134","references":["https://github.com/rsyslog/rsyslog/blob/master/ChangeLog","https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b","https://github.com/rsyslog/rsyslog/pull/1565","https://nvd.nist.gov/vuln/detail/CVE-2017-12588"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-8769 affects elfutils","id":"23505","firedtimes":45,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"elfutils","version":"0.170-0.4ubuntu0.1","architecture":"amd64","condition":"Package matches a vulnerable version"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-8769","title":"elfutils 0.170 has a buffer over-read in the ebl_dynamic_tag_name function of libebl/ebldynamictagname.c because SYMTAB_SHNDX is unsupported.","severity":"High","published":"2018-03-18","updated":"2019-10-03","state":"Pending confirmation","cwe_reference":"CWE-125","references":["https://sourceware.org/bugzilla/show_bug.cgi?id=22976","https://nvd.nist.gov/vuln/detail/CVE-2018-8769"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-7738 affects uuid-runtime","id":"23505","firedtimes":130,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"uuid-runtime","source":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2015-5191 affects open-vm-tools","id":"23504","firedtimes":396,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"open-vm-tools","version":"2:10.2.0-3~ubuntu0.16.04.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"6.700000"}},"cve":"CVE-2015-5191","title":"CVE-2015-5191 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"VMware Tools prior to 10.0.9 contains multiple file system races in libDeployPkg, related to the use of hard-coded paths under /tmp. Successful exploitation of this issue may result in a local privilege escalation. CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H","severity":"Medium","published":"2017-07-28","updated":"2017-08-08","state":"Unfixed","cwe_reference":"CWE-362","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869633"],"references":["http://www.securityfocus.com/bid/100011","http://www.securitytracker.com/id/1039013","https://www.vmware.com/security/advisories/VMSA-2017-0013.html","https://nvd.nist.gov/vuln/detail/CVE-2015-5191","http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5191.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5191"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2017-7244 affects libpcre3","id":"23504","firedtimes":265,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libpcre3","source":"pcre3","version":"2:8.38-3.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-7244","title":"CVE-2017-7244 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.","severity":"Medium","published":"2017-03-23","updated":"2018-08-17","state":"Unfixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858683","https://bugs.exim.org/show_bug.cgi?id=2052","https://bugs.exim.org/show_bug.cgi?id=2054"],"references":["http://www.securityfocus.com/bid/97067","https://access.redhat.com/errata/RHSA-2018:2486","https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/","https://security.gentoo.org/glsa/201710-25","https://nvd.nist.gov/vuln/detail/CVE-2017-7244","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7244.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2019-3843 affects systemd","id":"23505","firedtimes":134,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"systemd","version":"229-4ubuntu21.27","architecture":"amd64","condition":"Package less than 242"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"4.600000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2019-3843","title":"It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled.","severity":"High","published":"2019-04-26","updated":"2019-06-19","state":"Fixed","cwe_reference":"CWE-264","references":["http://www.securityfocus.com/bid/108116","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3843","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5JXQAKSTMABZ46EVCRMW62DHWYHTTFES/","https://security.netapp.com/advisory/ntap-20190619-0002/","https://usn.ubuntu.com/4269-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-3843"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-client","id":"23504","firedtimes":197,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-client","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2017-7244 affects libpcre3","id":"23504","firedtimes":265,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libpcre3","source":"pcre3","version":"2:8.38-3.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2017-7244","title":"CVE-2017-7244 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.","severity":"Medium","published":"2017-03-23","updated":"2018-08-17","state":"Unfixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858683","https://bugs.exim.org/show_bug.cgi?id=2052","https://bugs.exim.org/show_bug.cgi?id=2054"],"references":["http://www.securityfocus.com/bid/97067","https://access.redhat.com/errata/RHSA-2018:2486","https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/","https://security.gentoo.org/glsa/201710-25","https://nvd.nist.gov/vuln/detail/CVE-2017-7244","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7244.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7244"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-20217 affects libkrb5-3","id":"23504","firedtimes":254,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libkrb5-3","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"single","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"3.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.300000"}},"cve":"CVE-2018-20217","title":"CVE-2018-20217 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Unfixed","cwe_reference":"CWE-617","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387","http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763"],"references":["http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763","https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086","https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/","https://security.netapp.com/advisory/ntap-20190416-0006/","https://nvd.nist.gov/vuln/detail/CVE-2018-20217","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-1547 affects libssl1.0.0","id":"23503","firedtimes":35,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libssl1.0.0","source":"openssl","version":"1.0.2g-1ubuntu4.15","architecture":"amd64","condition":"Package greater or equal than 1.0.2 and less or equal than 1.0.2s"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"1.900000"}},"cve":"CVE-2019-1547","title":"CVE-2019-1547 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-09-10","updated":"2019-09-12","state":"Fixed","cwe_reference":"CWE-311","references":["http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html","http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html","http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html","https://arxiv.org/abs/1909.01785","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a","https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/","https://seclists.org/bugtraq/2019/Oct/0","https://seclists.org/bugtraq/2019/Oct/1","https://seclists.org/bugtraq/2019/Sep/25","https://security.gentoo.org/glsa/201911-04","https://security.netapp.com/advisory/ntap-20190919-0002/","https://security.netapp.com/advisory/ntap-20200122-0002/","https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS","https://www.debian.org/security/2019/dsa-4539","https://www.debian.org/security/2019/dsa-4540","https://www.openssl.org/news/secadv/20190910.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1547","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1547.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547","https://usn.ubuntu.com/usn/usn-4376-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2019-15847 affects gcc","id":"23505","firedtimes":86,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gcc","source":"gcc-defaults","version":"4:7.4.0-1ubuntu2.3","architecture":"amd64","condition":"Package less than 10.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"none","availability":"none"},"base_score":"7.500000"}},"cve":"CVE-2019-15847","title":"CVE-2019-15847 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.","severity":"High","published":"2019-09-02","updated":"2020-05-26","state":"Fixed","cwe_reference":"CWE-331","bugzilla_references":["https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00056.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00057.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00058.html","https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481","https://nvd.nist.gov/vuln/detail/CVE-2019-15847","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15847.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15847"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2019-9169 affects libc6","id":"23506","firedtimes":68,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc6","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2019-9169","title":"CVE-2019-9169 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.","severity":"Critical","published":"2019-02-26","updated":"2019-04-16","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://sourceware.org/bugzilla/show_bug.cgi?id=24114"],"references":["http://www.securityfocus.com/bid/107160","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140","https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142","https://kc.mcafee.com/corporate/index?page=content&id=SB10278","https://security.netapp.com/advisory/ntap-20190315-0002/","https://sourceware.org/bugzilla/show_bug.cgi?id=24114","https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=583dd860d5b833037175247230a328f0050dbfe9","https://support.f5.com/csp/article/K54823184","https://nvd.nist.gov/vuln/detail/CVE-2019-9169","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9169.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9169"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2018-6485 affects libc-bin","id":"23506","firedtimes":78,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libc-bin","source":"glibc","version":"2.23-0ubuntu11","architecture":"amd64","condition":"Package less or equal than 2.26"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2018-6485","title":"CVE-2018-6485 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"An integer overflow in the implementation of the posix_memalign in memalign functions in the GNU C Library (aka glibc or libc6) 2.26 and earlier could cause these functions to return a pointer to a heap area that is too small, potentially leading to heap corruption.","severity":"Critical","published":"2018-02-01","updated":"2019-12-10","state":"Fixed","cwe_reference":"CWE-190","bugzilla_references":["http://bugs.debian.org/878159","https://sourceware.org/bugzilla/show_bug.cgi?id=22343"],"references":["http://bugs.debian.org/878159","http://www.securityfocus.com/bid/102912","https://access.redhat.com/errata/RHBA-2019:0327","https://access.redhat.com/errata/RHSA-2018:3092","https://security.netapp.com/advisory/ntap-20190404-0003/","https://sourceware.org/bugzilla/show_bug.cgi?id=22343","https://usn.ubuntu.com/4218-1/","https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","https://nvd.nist.gov/vuln/detail/CVE-2018-6485","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-6485.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6485","https://usn.ubuntu.com/usn/usn-4218-1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-20217 affects libkrb5-3","id":"23504","firedtimes":254,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libkrb5-3","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"single","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"3.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.300000"}},"cve":"CVE-2018-20217","title":"CVE-2018-20217 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.","severity":"Medium","published":"2018-12-26","updated":"2019-10-03","state":"Unfixed","cwe_reference":"CWE-617","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387","http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763"],"references":["http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763","https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086","https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/","https://security.netapp.com/advisory/ntap-20190416-0006/","https://nvd.nist.gov/vuln/detail/CVE-2018-20217","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20217.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-19232 affects sudo","id":"23504","firedtimes":398,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sudo","version":"1.8.16-0ubuntu1.9","architecture":"amd64","condition":"Package less or equal than 1.8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"}},"cve":"CVE-2019-19232","title":"CVE-2019-19232 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"** DISPUTED ** In Sudo through 1.8.29, an attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user by invoking sudo with a numeric uid that is not associated with any user. NOTE: The software maintainer believes that this is not a vulnerability because running a command via sudo as a user not present in the local password database is an intentional feature. Because this behavior surprised some users, sudo 1.8.30 introduced an option to enable/disable this behavior with the default being disabled. However, this does not change the fact that sudo was behaving as intended, and as documented, in earlier versions.","severity":"Medium","published":"2019-12-19","updated":"2020-01-30","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947225"],"references":["http://seclists.org/fulldisclosure/2020/Mar/31","https://access.redhat.com/security/cve/cve-2019-19232","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6TKF36KOQUVJNBHSVJFA7BU3CCEYD2F/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IY6DZ7WMDKU4ZDML6MJLDAPG42B5WVUC/","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58103","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58812","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs58979","https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs76870","https://security.netapp.com/advisory/ntap-20200103-0004/","https://support.apple.com/en-gb/HT211100","https://support.apple.com/kb/HT211100","https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-19232","https://support2.windriver.com/index.php?page=defects&on=view&id=LIN1018-5506","https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2019/12/warnmeldung_cb-k20-0001.html","https://www.oracle.com/security-alerts/bulletinapr2020.html","https://www.sudo.ws/devel.html#1.8.30b2","https://www.sudo.ws/stable.html","https://www.tenable.com/plugins/nessus/133936","https://nvd.nist.gov/vuln/detail/CVE-2019-19232","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19232.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19232"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-1552 affects openssl","id":"23503","firedtimes":11,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssl","version":"1.1.1-1ubuntu2.1~18.04.6","architecture":"amd64","condition":"Package greater or equal than 1.1.1 and less or equal than 1.1.1c"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"3.300000"}},"cve":"CVE-2019-1552","title":"OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","severity":"Low","published":"2019-07-30","updated":"2019-08-23","state":"Fixed","cwe_reference":"CWE-295","references":["https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd","https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/","https://security.netapp.com/advisory/ntap-20190823-0006/","https://support.f5.com/csp/article/K94041354","https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS","https://www.openssl.org/news/secadv/20190730.txt","https://www.oracle.com/security-alerts/cpuapr2020.html","https://www.oracle.com/security-alerts/cpujan2020.html","https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","https://www.tenable.com/security/tns-2019-08","https://www.tenable.com/security/tns-2019-09","https://nvd.nist.gov/vuln/detail/CVE-2019-1552"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2016-7948 affects libxrandr2","id":"23506","firedtimes":84,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libxrandr2","source":"libxrandr","version":"2:1.5.0-1","architecture":"amd64","condition":"Package less or equal than 1.5.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2016-7948","title":"CVE-2016-7948 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data.","severity":"Critical","published":"2016-12-13","updated":"2017-07-01","state":"Fixed","cwe_reference":"CWE-787","references":["http://www.openwall.com/lists/oss-security/2016/10/04/2","http://www.openwall.com/lists/oss-security/2016/10/04/4","http://www.securityfocus.com/bid/93373","http://www.securitytracker.com/id/1036945","https://cgit.freedesktop.org/xorg/lib/libXrandr/commit/?id=a0df3e1c7728205e5c7650b2e6dce684139254a6","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/74FFOHWYIKQZTJLRJWDMJ4W3WYBELUUG/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7662OZWCSTLRPKS6R3E4Y4M26BSVAAM/","https://lists.x.org/archives/xorg-announce/2016-October/002720.html","https://security.gentoo.org/glsa/201704-03","https://nvd.nist.gov/vuln/detail/CVE-2016-7948","http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7948.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7948"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2017-18018 affects coreutils","id":"23504","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"coreutils","version":"8.28-1ubuntu1","architecture":"amd64","condition":"Package less or equal than 8.29"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"1.900000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"high","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"high","availability":"none"},"base_score":"4.700000"}},"cve":"CVE-2017-18018","title":"CVE-2017-18018 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX \"-R -L\" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.","severity":"Medium","published":"2018-01-04","updated":"2018-01-19","state":"Fixed","cwe_reference":"CWE-362","references":["http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2017-18018","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18018.html","http://www.openwall.com/lists/oss-security/2018/01/04/3","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18018","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html","https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-19645 affects sqlite3","id":"23503","firedtimes":19,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-19645 affects libsqlite3-0","id":"23503","firedtimes":18,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libsqlite3-0","source":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"006","name":"Windows","ip":"207.45.34.78"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2020-1752 affects multiarch-support","id":"23503","firedtimes":17,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"multiarch-support","source":"glibc","version":"2.27-3ubuntu1","architecture":"amd64","condition":"Package less than 2.32.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"3.700000"}},"cve":"CVE-2020-1752","title":"CVE-2020-1752 on Ubuntu 18.04 LTS (bionic) - medium.","rationale":"A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32.","severity":"Low","published":"2020-04-30","updated":"2020-05-18","state":"Fixed","cwe_reference":"CWE-416","references":["https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1752","https://security.netapp.com/advisory/ntap-20200511-0005/","https://sourceware.org/bugzilla/show_bug.cgi?id=25414","https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ddc650e9b3dc916eab417ce9f79e67337b05035c","https://nvd.nist.gov/vuln/detail/CVE-2020-1752","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1752.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1752","https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=263e6175999bc7f5adb8b32fd12fcfae3f0bb05a;hp=37db4539dd8b5c098d9235249c5d2aedaa67d7d1"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2019-20079 affects vim","id":"23505","firedtimes":109,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"vim","version":"2:7.4.1689-3ubuntu1.4","architecture":"amd64","condition":"Package less than 8.1.2136"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2019-20079","title":"The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.","severity":"High","published":"2019-12-30","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-416","references":["https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421","https://github.com/vim/vim/compare/v8.1.2135...v8.1.2136","https://packetstormsecurity.com/files/154898","https://usn.ubuntu.com/4309-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-20079"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-1000035 affects unzip","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"unzip","version":"6.0-21ubuntu1","architecture":"amd64","condition":"Package less or equal than 6.00"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-1000035","title":"CVE-2018-1000035 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"A heap-based buffer overflow exists in Info-Zip UnZip version <= 6.00 in the processing of password-protected archives that allows an attacker to perform a denial of service or to possibly achieve code execution.","severity":"High","published":"2018-02-09","updated":"2020-01-29","state":"Fixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889838"],"references":["https://lists.debian.org/debian-lts-announce/2020/01/msg00026.html","https://sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html","https://security.gentoo.org/glsa/202003-58","https://nvd.nist.gov/vuln/detail/CVE-2018-1000035","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000035.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000035","https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2017-9502 affects curl","id":"23504","firedtimes":334,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"curl","version":"7.47.0-1ubuntu2.14","architecture":"amd64","condition":"Package less or equal than 7.54.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"low"},"base_score":"5.300000"}},"cve":"CVE-2017-9502","title":"In curl before 7.54.1 on Windows and DOS, libcurl's default protocol function, which is the logic that allows an application to set which protocol libcurl should attempt to use when given a URL without a scheme part, had a flaw that could lead to it overwriting a heap based memory buffer with seven bytes. If the default protocol is specified to be FILE or a file: URL lacks two slashes, the given \"URL\" starts with a drive letter, and libcurl is built for Windows or DOS, then libcurl would copy the path 7 bytes off, so that the end of the given path would write beyond the malloc buffer (7 bytes being the length in bytes of the ascii string \"file://\").","severity":"Medium","published":"2017-06-14","updated":"2017-07-08","state":"Fixed","cwe_reference":"CWE-119","references":["http://openwall.com/lists/oss-security/2017/06/14/1","http://www.securityfocus.com/bid/99120","http://www.securitytracker.com/id/1038697","https://curl.haxx.se/docs/adv_20170614.html","https://nvd.nist.gov/vuln/detail/CVE-2017-9502"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2017-12588 affects rsyslog","id":"23506","firedtimes":64,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"rsyslog","version":"8.16.0-1ubuntu3.1","architecture":"amd64","condition":"Package less or equal than 8.27.0"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-12588","title":"The zmq3 input and output modules in rsyslog before 8.28.0 interpreted description fields as format strings, possibly allowing a format string attack with unspecified impact.","severity":"Critical","published":"2017-08-06","updated":"2017-08-14","state":"Fixed","cwe_reference":"CWE-134","references":["https://github.com/rsyslog/rsyslog/blob/master/ChangeLog","https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b","https://github.com/rsyslog/rsyslog/pull/1565","https://nvd.nist.gov/vuln/detail/CVE-2017-12588"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17540 affects libmagickcore-6.q16-3","id":"23504","firedtimes":5,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libmagickcore-6.q16-3","source":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2017-18342 affects python3-yaml","id":"23506","firedtimes":65,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.11-3build1","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-18342","title":"CVE-2017-18342 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the function.","severity":"Critical","published":"2018-06-27","updated":"2019-06-24","state":"Unfixed","cwe_reference":"CWE-20","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902878"],"references":["https://github.com/marshmallow-code/apispec/issues/278","https://github.com/yaml/pyyaml/blob/master/CHANGES","https://github.com/yaml/pyyaml/issues/193","https://github.com/yaml/pyyaml/pull/74","https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEX7IPV5P2QJITAMA5Z63GQCZA5I6NVZ/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSQQMRUQSXBSUXLCRD3TSZYQ7SEZRKCE/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6JCFGEIEOFMWWIXGHSELMKQDD4CV2BA/","https://security.gentoo.org/glsa/202003-45","https://nvd.nist.gov/vuln/detail/CVE-2017-18342","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18342.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18342"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2019-13050 affects gnupg","id":"23505","firedtimes":114,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gnupg","version":"1.4.20-1ubuntu3.3","architecture":"amd64","condition":"Package less or equal than 2.2.16"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"7.500000"}},"cve":"CVE-2019-13050","title":"CVE-2019-13050 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.","severity":"High","published":"2019-06-29","updated":"2019-07-09","state":"Fixed","cwe_reference":"CWE-297","bugzilla_references":["https://bugs.launchpad.net/bugs/1844059","https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-13050","https://dev.gnupg.org/T4591","https://dev.gnupg.org/T4607","https://dev.gnupg.org/T4628"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html","https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUK2YRO6QIH64WP2LRA5D4LACTXQPPU4/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CP4ON34YEXEZDZOXXWV43KVGGO6WZLJ5/","https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html","https://support.f5.com/csp/article/K08654551","https://support.f5.com/csp/article/K08654551?utm_source=f5support&utm_medium=RSS","https://twitter.com/lambdafu/status/1147162583969009664","https://nvd.nist.gov/vuln/detail/CVE-2019-13050","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2015-2987 affects ed","id":"23503","firedtimes":9,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ed","version":"1.10-2.1","architecture":"amd64","condition":"Package less or equal than 3.4"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"high","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"2.600000"}},"cve":"CVE-2015-2987","title":"Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.","severity":"Low","published":"2015-08-28","updated":"2015-08-31","state":"Fixed","cwe_reference":"CWE-17","references":["http://jvn.jp/en/jp/JVN91474878/index.html","http://jvndb.jvn.jp/jvndb/JVNDB-2015-000119","http://type74.org/edman5-1.php","http://type74org.blog14.fc2.com/blog-entry-1384.html","https://nvd.nist.gov/vuln/detail/CVE-2015-2987"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2020-1927 affects apache2-utils","id":"23504","firedtimes":193,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"apache2-utils","source":"apache2","version":"2.4.29-1ubuntu4.13","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"none"},"base_score":"5.800000"}},"cve":"CVE-2020-1927","title":"CVE-2020-1927 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.","severity":"Medium","published":"2020-04-02","updated":"2020-04-03","state":"Unfixed","cwe_reference":"CWE-601","references":["http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html","http://www.openwall.com/lists/oss-security/2020/04/03/1","http://www.openwall.com/lists/oss-security/2020/04/04/1","https://httpd.apache.org/security/vulnerabilities_24.html","https://lists.apache.org/thread.html/r10b853ea87dd150b0e76fda3f8254dfdb23dd05fa55596405b58478e@%3Ccvs.httpd.apache.org%3E","https://lists.apache.org/thread.html/r1719675306dfbeaceff3dc63ccad3de2d5615919ca3c13276948b9ac@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r52a52fd60a258f5999a8fa5424b30d9fd795885f9ff4828d889cd201@%3Cdev.httpd.apache.org%3E","https://lists.apache.org/thread.html/r70ba652b79ba224b2cbc0a183078b3a49df783b419903e3dcf4d78c7@%3Ccvs.httpd.apache.org%3E","https://security.netapp.com/advisory/ntap-20200413-0002/","https://nvd.nist.gov/vuln/detail/CVE-2020-1927","http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-1927.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1927","https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2017-15088 affects krb5-locales","id":"23506","firedtimes":73,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"krb5-locales","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15088","title":"CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.","severity":"Critical","published":"2017-11-23","updated":"2019-10-09","state":"Unfixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698"],"references":["http://www.securityfocus.com/bid/101594","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698","https://bugzilla.redhat.com/show_bug.cgi?id=1504045","https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4","https://github.com/krb5/krb5/pull/707","https://nvd.nist.gov/vuln/detail/CVE-2017-15088","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17540 affects imagemagick","id":"23504","firedtimes":2,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"imagemagick","version":"8:6.9.7.4+dfsg-16ubuntu6.8","architecture":"amd64","condition":"Package less than 7.0.8-54"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"6.800000"}},"cve":"CVE-2019-17540","title":"ImageMagick before 7.0.8-54 has a heap-based buffer overflow in ReadPSInfo in coders/ps.c.","severity":"Medium","published":"2019-10-14","updated":"2019-10-23","state":"Fixed","cwe_reference":"CWE-120","references":["https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15826","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942578","https://github.com/ImageMagick/ImageMagick/compare/7.0.8-53...7.0.8-54","https://github.com/ImageMagick/ImageMagick/compare/master@%7B2019-07-15%7D...master@%7B2019-07-17%7D","https://security-tracker.debian.org/tracker/CVE-2019-17540","https://nvd.nist.gov/vuln/detail/CVE-2019-17540"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-1010204 affects binutils","id":"23504","firedtimes":369,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"binutils","version":"2.26.1-1ubuntu1~16.04.8","architecture":"amd64","condition":"Package greater or equal than 2.21 and less or equal than 2.31.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"4.300000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"none","user_interaction":"required","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"5.500000"}},"cve":"CVE-2019-1010204","title":"CVE-2019-1010204 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"GNU binutils gold gold v1.11-v1.16 (GNU binutils v2.21-v2.31.1) is affected by: Improper Input Validation, Signed/Unsigned Comparison, Out-of-bounds Read. The impact is: Denial of service. The component is: gold/fileread.cc:497, elfcpp/elfcpp_file.h:644. The attack vector is: An ELF file with an invalid e_shoff header field must be opened.","severity":"Medium","published":"2019-07-23","updated":"2019-08-22","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://sourceware.org/bugzilla/show_bug.cgi?id=23765"],"references":["https://security.netapp.com/advisory/ntap-20190822-0001/","https://sourceware.org/bugzilla/show_bug.cgi?id=23765","https://support.f5.com/csp/article/K05032915?utm_source=f5support&utm_medium=RSS","https://nvd.nist.gov/vuln/detail/CVE-2019-1010204","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-1010204.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010204"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-19645 affects sqlite3","id":"23503","firedtimes":19,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17595 affects ncurses-base","id":"23504","firedtimes":222,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ncurses-base","source":"ncurses","version":"6.1-1ubuntu1.18.04","architecture":"all","condition":"Package less than 6.1.20191012"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"partial"},"base_score":"5.800000"}},"cve":"CVE-2019-17595","title":"CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.","severity":"Medium","published":"2019-10-14","updated":"2019-12-23","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2019-17595","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-client","id":"23504","firedtimes":197,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"002","name":"Amazon","ip":"145.80.240.15"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-client","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2019-20079 affects vim","id":"23505","firedtimes":109,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"vim","version":"2:7.4.1689-3ubuntu1.4","architecture":"amd64","condition":"Package less than 8.1.2136"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"}},"cve":"CVE-2019-20079","title":"The autocmd feature in window.c in Vim before 8.1.2136 accesses freed memory.","severity":"High","published":"2019-12-30","updated":"2020-03-30","state":"Fixed","cwe_reference":"CWE-416","references":["https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421","https://github.com/vim/vim/compare/v8.1.2135...v8.1.2136","https://packetstormsecurity.com/files/154898","https://usn.ubuntu.com/4309-1/","https://nvd.nist.gov/vuln/detail/CVE-2019-20079"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":13,"description":"CVE-2017-15088 affects krb5-locales","id":"23506","firedtimes":73,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"krb5-locales","source":"krb5","version":"1.13.2+dfsg-5ubuntu2.1","architecture":"all","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"partial","availability":"partial"},"base_score":"7.500000"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"9.800000"}},"cve":"CVE-2017-15088","title":"CVE-2017-15088 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.","severity":"Critical","published":"2017-11-23","updated":"2019-10-09","state":"Unfixed","cwe_reference":"CWE-119","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698"],"references":["http://www.securityfocus.com/bid/101594","https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698","https://bugzilla.redhat.com/show_bug.cgi?id=1504045","https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4","https://github.com/krb5/krb5/pull/707","https://nvd.nist.gov/vuln/detail/CVE-2017-15088","http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15088.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"005","name":"Centos","ip":"197.17.1.4"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2019-19645 affects libsqlite3-0","id":"23503","firedtimes":18,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"libsqlite3-0","source":"sqlite3","version":"3.22.0-1ubuntu0.3","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"2.100000"}},"cve":"CVE-2019-19645","title":"CVE-2019-19645 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.","severity":"Low","published":"2019-12-09","updated":"2019-12-23","state":"Unfixed","cwe_reference":"CWE-674","references":["https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06","https://security.netapp.com/advisory/ntap-20191223-0001/","https://www.oracle.com/security-alerts/cpuapr2020.html","https://nvd.nist.gov/vuln/detail/CVE-2019-19645","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19645.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19645"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-11727 affects thunderbird","id":"23504","firedtimes":312,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"thunderbird","version":"1:68.8.0+build2-0ubuntu0.16.04.2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"low","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2019-11727","title":"CVE-2019-11727 on Ubuntu 16.04 LTS (xenial) - medium.","rationale":"A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68.","severity":"Medium","published":"2019-07-23","updated":"2019-07-30","state":"Unfixed","cwe_reference":"CWE-295","bugzilla_references":["https://bugzilla.mozilla.org/show_bug.cgi?id=1552208"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00009.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00010.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00011.html","http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00006.html","https://access.redhat.com/errata/RHSA-2019:1951","https://bugzilla.mozilla.org/show_bug.cgi?id=1552208","https://security.gentoo.org/glsa/201908-12","https://www.mozilla.org/security/advisories/mfsa2019-21/","https://nvd.nist.gov/vuln/detail/CVE-2019-11727","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11727.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11727","https://usn.ubuntu.com/usn/usn-4054-1","https://usn.ubuntu.com/usn/usn-4060-1","https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2018-7738 affects util-linux","id":"23505","firedtimes":129,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"util-linux","version":"2.27.1-6ubuntu3.10","architecture":"amd64","condition":"Package less or equal than 2.31"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"7.200000"},"cvss3":{"vector":{"attack_vector":"local","access_complexity":"low","privileges_required":"low","user_interaction":"none","scope":"unchanged","confidentiality_impact":"high","integrity_impact":"high","availability":"high"},"base_score":"7.800000"}},"cve":"CVE-2018-7738","title":"CVE-2018-7738 on Ubuntu 16.04 LTS (xenial) - negligible.","rationale":"In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.","severity":"High","published":"2018-03-07","updated":"2019-10-03","state":"Fixed","cwe_reference":"NVD-CWE-noinfo","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892179","https://github.com/karelzak/util-linux/issues/539"],"references":["http://www.securityfocus.com/bid/103367","https://bugs.debian.org/892179","https://github.com/karelzak/util-linux/commit/75f03badd7ed9f1dd951863d75e756883d3acc55","https://github.com/karelzak/util-linux/issues/539","https://www.debian.org/security/2018/dsa-4134","https://nvd.nist.gov/vuln/detail/CVE-2018-7738","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-7738.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7738"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2019-17595 affects ncurses-base","id":"23504","firedtimes":222,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"007","name":"Debian","ip":"24.273.97.14"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"ncurses-base","source":"ncurses","version":"6.1-1ubuntu1.18.04","architecture":"all","condition":"Package less than 6.1.20191012"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"medium","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"partial"},"base_score":"5.800000"}},"cve":"CVE-2019-17595","title":"CVE-2019-17595 on Ubuntu 18.04 LTS (bionic) - negligible.","rationale":"There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.","severity":"Medium","published":"2019-10-14","updated":"2019-12-23","state":"Fixed","cwe_reference":"CWE-125","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942401"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html","http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html","https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html","https://nvd.nist.gov/vuln/detail/CVE-2019-17595","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-17595.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17595"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":5,"description":"CVE-2013-4235 affects login","id":"23503","firedtimes":20,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"login","source":"shadow","version":"1:4.5-1ubuntu2","architecture":"amd64","condition":"Package unfixed"},"cvss":{"cvss2":{"vector":{"attack_vector":"local","access_complexity":"medium","authentication":"none","confidentiality_impact":"none","integrity_impact":"partial","availability":"partial"},"base_score":"3.300000"}},"cve":"CVE-2013-4235","title":"CVE-2013-4235 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees","severity":"Low","published":"2019-12-03","updated":"2019-12-13","state":"Unfixed","cwe_reference":"CWE-367","bugzilla_references":["https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778950","https://bugzilla.redhat.com/show_bug.cgi?id=884658"],"references":["https://access.redhat.com/security/cve/cve-2013-4235","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4235","https://security-tracker.debian.org/tracker/CVE-2013-4235","https://nvd.nist.gov/vuln/detail/CVE-2013-4235","http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4235.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4235"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":7,"description":"CVE-2018-15919 affects openssh-server","id":"23504","firedtimes":198,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"RHEL7","ip":"187.54.247.68"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"openssh-server","source":"openssh","version":"1:7.6p1-4ubuntu0.3","architecture":"amd64","condition":"Package greater or equal than 5.9 and less or equal than 7.8"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"partial","integrity_impact":"none","availability":"none"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"low","integrity_impact":"none","availability":"none"},"base_score":"5.300000"}},"cve":"CVE-2018-15919","title":"CVE-2018-15919 on Ubuntu 18.04 LTS (bionic) - low.","rationale":"Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or \"oracle\") as a vulnerability.'","severity":"Medium","published":"2018-08-28","updated":"2019-03-07","state":"Fixed","cwe_reference":"CWE-200","bugzilla_references":["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907503","https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-15919"],"references":["http://seclists.org/oss-sec/2018/q3/180","http://www.securityfocus.com/bid/105163","https://security.netapp.com/advisory/ntap-20181221-0001/","https://nvd.nist.gov/vuln/detail/CVE-2018-15919","http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-15919.html","http://www.openwall.com/lists/oss-security/2018/08/27/2","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15919"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2020-1747 affects python3-yaml","id":"23505","firedtimes":44,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"004","name":"Ubuntu","ip":"47.204.15.21"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"python3-yaml","source":"pyyaml","version":"3.12-1build2","architecture":"amd64","condition":"Package less than 5.3.1"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"complete","integrity_impact":"complete","availability":"complete"},"base_score":"10"}},"cve":"CVE-2020-1747","title":"A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.","severity":"High","published":"2020-03-24","updated":"2020-05-11","state":"Fixed","cwe_reference":"CWE-20","references":["http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html","http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html","https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747","https://github.com/yaml/pyyaml/pull/386","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2/","https://nvd.nist.gov/vuln/detail/CVE-2020-1747"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp":"{timestamp}", "@timestamp":"{timestamp}","rule":{"level":10,"description":"CVE-2019-13050 affects gnupg","id":"23505","firedtimes":114,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"003","name":"ip-10-0-0-180.us-west-1.compute.internal","ip":"10.0.0.180"},"manager":{"name":"wazuh-manager"},"cluster":{"name":"wazuh-cluster","node":"wazuh-manager"},"id":"1580123327.49031","predecoder":{},"decoder":{"name":"json"},"data":{"vulnerability":{"package":{"name":"gnupg","version":"1.4.20-1ubuntu3.3","architecture":"amd64","condition":"Package less or equal than 2.2.16"},"cvss":{"cvss2":{"vector":{"attack_vector":"network","access_complexity":"low","authentication":"none","confidentiality_impact":"none","integrity_impact":"none","availability":"partial"},"base_score":"5"},"cvss3":{"vector":{"attack_vector":"network","access_complexity":"low","privileges_required":"none","user_interaction":"none","scope":"unchanged","confidentiality_impact":"none","integrity_impact":"none","availability":"high"},"base_score":"7.500000"}},"cve":"CVE-2019-13050","title":"CVE-2019-13050 on Ubuntu 16.04 LTS (xenial) - low.","rationale":"Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.","severity":"High","published":"2019-06-29","updated":"2019-07-09","state":"Fixed","cwe_reference":"CWE-297","bugzilla_references":["https://bugs.launchpad.net/bugs/1844059","https://bugzilla.suse.com/show_bug.cgi?id=CVE-2019-13050","https://dev.gnupg.org/T4591","https://dev.gnupg.org/T4607","https://dev.gnupg.org/T4628"],"references":["http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00039.html","https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUK2YRO6QIH64WP2LRA5D4LACTXQPPU4/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CP4ON34YEXEZDZOXXWV43KVGGO6WZLJ5/","https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html","https://support.f5.com/csp/article/K08654551","https://support.f5.com/csp/article/K08654551?utm_source=f5support&utm_medium=RSS","https://twitter.com/lambdafu/status/1147162583969009664","https://nvd.nist.gov/vuln/detail/CVE-2019-13050","http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13050.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13050"],"assigner":"cve@mitre.org","cve_version":"4.0"}},"location":"vulnerability-detector"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 160.0.14.40] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Canada", "location": {"lat": 49.2496605, "lon": -123.119339}, "region_name": "Vancouver", "city_name": "Vancouver"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 2.25.80.45] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Spain", "location": {"lat": 37.1881714, "lon": -3.6066699}, "region_name": "Andaluc\u00eda", "city_name": "Granada"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 70.24.101.214] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Brasil", "location": {"lat": -22.9064198, "lon": -43.1822319}, "region_name": "R\u00edo de Janeiro", "city_name": "R\u00edo de Janeiro"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 75.0.101.245] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Germany", "location": {"lat": 52.524, "lon": 13.411}, "region_name": "Berlin", "city_name": "Berlin"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 160.0.14.40] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Germany", "location": {"lat": 52.524, "lon": 13.411}, "region_name": "Berlin", "city_name": "Berlin"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 2.25.80.45] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "United States of America", "location": {"lat": 40.7142715, "lon": -74.0059662}, "region_name": "New York", "city_name": "New York"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "Docker: Container nginx_container restarted", "groups": ["docker"], "id": "87909", "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "restart", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "nginx_container", "maintainer": "NGINX Docker Maintainers "}, "ID": "5f91cd9a9f4c5b370b7314c29cc8a2a28c72a61f9659953fa75df643502b3693"}, "scope": "local", "timeNano": "1586460544801840896.000000", "from": "nginx", "time": "1586460544", "status": "restart"}}, "location": ""} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "Docker: Container test_container received the action: die", "groups": ["docker"], "id": "87928", "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "die", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "test_container", "exitCode": "0", "maintainer": "NGINX Docker Maintainers "}, "ID": "6d145b0c801fce46301fa96354d0ea29e4b1ea82fe7021799a01e2abe04a18c8"}, "scope": "local", "timeNano": "1587084648640092672.000000", "from": "nginx", "time": "1587084648", "status": "die"}}, "location": ""} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "Docker: Container test_container started", "groups": ["docker"], "id": "87928"}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "start", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "test_container", "maintainer": "NGINX Docker Maintainers "}, "ID": "ebe3de16ea5b18aecc216f1cabbab887fd7aa7408dbd761719cd69b3089120fa"}, "scope": "local", "timeNano": "1587084600046795264.000000", "from": "nginx", "time": "1587084600", "status": "start"}}, "location": ""} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 3, "description": "Docker: Network bridge connected", "groups": ["docker"], "id": "87928"}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "connect", "Type": "network", "Actor": {"Attributes": {"container": "fcaa90b845d05ec7ae7a5097a8596b35edf6d368a00f93fe9872a6d5b1449bb9", "name": "bridge", "type": "bridge"}, "ID": "d69c82315c95fee242619571726ead25f9447065db44e814bd3e07ea00daebb2"}, "scope": "local", "timeNano": "1587084599776133888.000000", "time": "1587084599"}}, "location": ""} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 4, "description": "Docker: Network bridge disconnected", "groups": ["docker"], "id": "87929", "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "disconnect", "Type": "network", "Actor": {"Attributes": {"container": "555b9855a3d5f97bc5156e3d61bcd67ef236f2875cdfaf4e49659c085c69f942", "name": "bridge", "type": "bridge"}, "ID": "26fc9c96a6d0077c55b4ab068408df1be2c77789254262ae65d4f469b7f520fb"}, "scope": "local", "timeNano": "1586460544485358336.000000", "time": "1586460544"}}, "location": ""} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 1, "mail": false, "level": 7, "description": "Docker: Container nginx_container received the action: kill", "groups": ["docker"], "id": "87924", "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "kill", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "nginx_container", "signal": "15", "maintainer": "NGINX Docker Maintainers "}, "ID": "a5f7bce90032373cf7f6a489ba8ba19744dafef91a5f9eac072e3f7265475ac2"}, "scope": "local", "timeNano": "1586460544324527616.000000", "from": "nginx", "time": "1586460544", "status": "kill"}}, "location": ""} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 10, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0b0b8b34a48c8f1c4 is being probed. [IP: 187.234.16.206] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Brasil", "location": {"lat": -22.9064198, "lon": -43.1822319}, "region_name": "R\u00edo de Janeiro", "city_name": "R\u00edo de Janeiro"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 10, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 187.234.16.206] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "India", "location": {"lat": 19.0728302, "lon": 72.8826065}, "region_name": "Bombay", "city_name": "Bombay"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 10, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 70.24.101.214] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Brasil", "location": {"lat": -22.9064198, "lon": -43.1822319}, "region_name": "R\u00edo de Janeiro", "city_name": "R\u00edo de Janeiro"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 10, "mail": false, "level": 3, "description": "AWS GuardDuty: PORT_PROBE - Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed. [IP: 75.0.101.245] [Port: 80]", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80305"}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "2", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2019-03-22T14:15:41Z", "instanceId": "i-0cab4a083d57dc400", "networkInterfaces": {"networkInterfaceId": "eni-0bb465b2d939dbda6", "subnetId": "subnet-6b1d6203", "vpcId": "vpc-921e61fa", "privateDnsName": "ip-10-0-0-1.ec2.internal", "publicIp": "54.90.48.38", "publicDnsName": "ec2-54.90.48.38.compute-1.amazonaws.com", "privateIpAddress": "10.0.0.1"}, "instanceState": "running", "imageId": "ami-09ae67bbfcd740875", "instanceType": "a1.medium", "imageDescription": "Canonical, Ubuntu, 18.04 LTS, UNSUPPORTED daily arm64 bionic image build on 2019-02-12", "productCodes": {"productCodeId": "zud1u4kjmxu2j2jf0n36bqa", "productCodeType": "marketplace"}, "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOUFGA", "arn": "arn:aws:iam::150447125201:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1e"}}, "description": "EC2 instance has an unprotected port which is being probed by a known malicious host.", "source": "guardduty", "type": "Recon:EC2/PortProbeUnprotectedPort", "title": "Unprotected port on EC2 instance i-0cab4a083d57dc400 is being probed.", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b400c06fb2897dfcebffb80d", "additionalInfo": {"threatListName": "ProofPoint", "threatName": "Scanner"}, "count": "3990", "action": {"actionType": "PORT_PROBE", "portProbeAction": {"blocked": "false", "portProbeDetails": {"localPortDetails": {"port": "80", "portName": "HTTP"}, "remoteIpDetails": {"country": {"countryName": "Mexico"}, "city": {"cityName": "Colima"}, "geoLocation": {"lon": "-103.714500", "lat": "19.266800"}, "organization": {"asnOrg": "Internet Mexico Company", "org": "Internet Mexico Company", "isp": "Internet Mexico Company", "asn": "4257"}, "ipAddressV4": "187.234.16.206"}}}}, "serviceName": "guardduty", "eventFirstSeen": "2024-06-27T12:06:35.030Z", "eventLastSeen": "2024-06-30T12:06:35.030Z"}, "region": "eu-central-1", "accountId": "250141701015", "log_info": {"s3bucket": "aws-sample-bucket-4", "log_file": "guardduty/2024/06/30/12/firehose_guardduty-1-2024-06-30-12-06-35-030b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "createdAt": "2024-06-27T12:06:35.030Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Spain", "location": {"lat": 37.1881714, "lon": -3.6066699}, "region_name": "Andaluc\u00eda", "city_name": "Granada"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 2, "mail": false, "level": 3, "description": "Docker: Container nginx_container stopped", "groups": ["docker"], "id": "87904", "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "stop", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "nginx_container", "maintainer": "NGINX Docker Maintainers "}, "ID": "1645a13ddb2f0ff8f5615b4535e57d4f08b6e444effc71b21962473edbffa758"}, "scope": "local", "timeNano": "1586461541373152000.000000", "from": "nginx", "time": "1586461541", "status": "stop"}}, "location": ""} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"firedtimes": 2, "mail": false, "level": 5, "pci_dss": ["10.2.7"], "description": "Docker: Started shell session in container nginx_container", "groups": ["docker"], "id": "87908", "nist_800_53": ["AU.14"], "gdpr": ["IV_32.2"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Action": "exec_start: bash ", "Type": "container", "Actor": {"Attributes": {"image": "nginx", "name": "nginx_container", "maintainer": "NGINX Docker Maintainers ", "execID": "69819869eefb3795e2015b603a2f85d6f5f556e5776428b5360fc9dfe5bfce47"}, "ID": "ff2d3b3018f1a5d97655666b7754c222a76034d536ef1de451a02fb524579c77"}, "timeNano": "1587404196804128000.000000", "from": "nginx", "time": "1587404196", "status": "exec_start: bash "}}, "location": ""} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"level": 3, "description": "Docker: Image or repository wazuh/wazuh pulled", "id": "87932", "firedtimes": 1, "mail": false, "groups": ["docker"], "pci_dss": ["10.2.7"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"status": "pull", "id": "wazuh/wazuh:3.9.2_7.1.1", "Type": "image", "Action": "pull", "Actor": {"ID": "wazuh/wazuh:3.9.2_7.1.1", "Attributes": {"name": "wazuh/wazuh"}}, "scope": "local", "time": "1563354346", "timeNano": "1563354346181027328.000000"}}, "location": ""} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"level": 3, "description": "Docker: Image or repository wazuh/wazuh-elasticsearch pulled", "id": "87932", "firedtimes": 2, "mail": false, "groups": ["docker"], "pci_dss": ["10.2.7"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"status": "pull", "id": "wazuh/wazuh-elasticsearch:3.9.2_7.1.1", "Type": "image", "Action": "pull", "Actor": {"ID": "wazuh/wazuh-elasticsearch:3.9.2_7.1.1", "Attributes": {"license": "Elastic License", "name": "wazuh/wazuh-elasticsearch", "org": {"label-schema": {"build-date": "20190305", "license": "GPLv2", "name": "elasticsearch", "schema-version": "1.0", "url": "https://www.elastic.co/products/elasticsearch", "vcs-url": "https://github.com/elastic/elasticsearch", "vendor": "Elastic", "version": "7.1.1"}}}}, "scope": "local", "time": "1563354404", "timeNano": "1563354404067201536.000000"}}, "location": ""} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"level": 3, "description": "Docker: Image or repository wazuh/wazuh-kibana pulled", "id": "87932", "firedtimes": 3, "mail": false, "groups": ["docker"], "pci_dss": ["10.2.7"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"status": "pull", "id": "wazuh/wazuh-kibana:3.9.2_7.1.1", "Type": "image", "Action": "pull", "Actor": {"ID": "wazuh/wazuh-kibana:3.9.2_7.1.1", "Attributes": {"license": "Elastic License", "name": "wazuh/wazuh-kibana", "org": {"label-schema": {"build-date": "20190305", "license": "GPLv2", "name": "kibana", "schema-version": "1.0", "url": "https://www.elastic.co/products/kibana", "vcs-url": "https://github.com/elastic/kibana", "vendor": "Elastic", "version": "7.1.1"}}}}, "scope": "local", "time": "1563354404", "timeNano": "1563354404067201536.000000"}}, "location": ""} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"level": 3, "description": "Docker: Image or repository wazuh/wazuh-nginx pulled", "id": "87932", "firedtimes": 3, "mail": false, "groups": ["docker"], "pci_dss": ["10.2.7"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"status": "pull", "id": "wazuh/wazuh-nginx:3.9.2_7.1.1", "Type": "image", "Action": "pull", "Actor": {"ID": "wazuh/wazuh-nginx:3.9.2_7.1.1", "Attributes": {"maintainer": "NGINX Docker Maintainers ", "name": "wazuh/wazuh-nginx"}}}, "scope": "local", "time": "1563354404", "timeNano": "1563354404067201536.000000"}, "location": ""} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"level": 3, "description": "Docker: Network vagrant_default created", "id": "87930", "firedtimes": 1, "mail": false, "pci_dss": ["10.2.7"], "groups": ["docker"]}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {"integration": "docker", "docker": {"Type": "network", "Action": "create", "Actor": {"ID": "80f3e2aad6cb19bcc14751551f4ea20037e41c07491a6cf4ccf093b978a8955c", "Attributes": {"name": "vagrant_default", "type": "bridge"}}, "scope": "local", "time": "1563354307", "timeNano": "1563354307459382528.000000"}}, "location": ""} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal Administrators.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "India", "location": {"lat": 19.0728302, "lon": 72.8826065}, "region_name": "Bombay", "city_name": "Bombay"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal LOCAL Service.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "India", "location": {"lat": 19.0728302, "lon": 72.8826065}, "region_name": "Bombay", "city_name": "Bombay"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal NETWORK Service.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "United States of America", "location": {"lat": 40.7142715, "lon": -74.0059662}, "region_name": "New York", "city_name": "New York"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal SYSTEM.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Australia", "location": {"lat": -33.8678513, "lon": 151.2073212}, "region_name": "Sydney", "city_name": "Sydney"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal ec2-user.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "France", "location": {"lat": 48.8534088, "lon": 2.3487999}, "region_name": "Paris", "city_name": "Paris"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal root.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Canada", "location": {"lat": 49.2496605, "lon": -123.119339}, "region_name": "Vancouver", "city_name": "Vancouver"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal suricata.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 12}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Brasil", "location": {"lat": -22.9064198, "lon": -43.1822319}, "region_name": "R\u00edo de Janeiro", "city_name": "R\u00edo de Janeiro"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: AWS_API_CALL - Unusual console login was seen for principal wazuh.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"accessKeyDetails": {"principalId": "AIDAIL4SI43KE7QMMBABB", "userType": "IAMUser", "userName": "ec2-user"}, "resourceType": "AccessKey"}, "log_info": {"s3bucket": "aws-sample-bucket-5", "log_file": "guardduty/2024/07/04/00/firehose_guardduty-1-2024-07-04-00-04-50-564b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}, "description": "Unusual console login seen from principal Administrators. Login activity using this client application, from the specific location has not been seen before from this principal.", "source": "guardduty", "type": "UnauthorizedAccess:IAMUser/ConsoleLogin", "title": "Unusual console login was seen for principal Administrators.", "accountId": "18773455640", "createdAt": "2024-07-01T00:04:50.564Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "TARGET", "detectorId": "cab38390b728c06fb2897dfcebffb80d", "eventFirstSeen": "2024-07-01T00:04:50.564Z", "eventLastSeen": "2024-07-04T00:04:50.564Z", "additionalInfo": {"recentApiCalls": {"count": "3669", "api": "ConsoleLogin"}}, "count": "3669", "action": {"actionType": "AWS_API_CALL", "awsApiCallAction": {"callerType": "Remote IP", "api": "ConsoleLogin", "serviceName": "signin.amazonaws.com", "remoteIpDetails": {"country": {"countryName": "United States"}, "city": {"cityName": "Panama City"}, "geoLocation": {"lon": "-85.669600", "lat": "30.190900"}, "organization": {"asnOrg": "Internet Innovations", "org": "Intenet Innovations", "isp": "Intenet Innovations", "asn": "4252"}, "ipAddressV4": "70.24.101.214"}}}, "serviceName": "guardduty"}, "id": "a8b8d0b82c50eed686df4d24fa87b657", "region": "ca-central-1", "arn": "arn:aws:guardduty:us-east-1:166157441478:detector/cab38390b728c06fb2897dfcebffc80d/finding/a8b8d0b82c50eed686df4d24fa87b657", "updatedAt": "2020-04-22T10:30:26.721Z"}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Brasil", "location": {"lat": -22.9064198, "lon": -43.1822319}, "region_name": "R\u00edo de Janeiro", "city_name": "R\u00edo de Janeiro"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"integration": "aws", "aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2020-04-22T11:17:08Z", "instanceId": "i-0b0b8b34a48c8f1c4", "networkInterfaces": {"networkInterfaceId": "eni-01e777fb9acd548e4", "subnetId": "subnet-7930da22", "vpcId": "vpc-68e3c60f", "privateDnsName": "ip-10-0-2-2.ec2.internal", "publicIp": "40.220.125.204", "publicDnsName": "ec2-40.220.125.204.compute-1.amazonaws.com", "privateIpAddress": "10.0.2.2"}, "instanceState": "running", "imageId": "ami-0ff8a91507f77f900", "instanceType": "t2.small", "imageDescription": "Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2", "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOCBIG", "arn": "arn:aws:iam::186154171780:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1a"}}, "description": "EC2 instance i-0b0b8b34a48c8f1c4 is communicating with a remote host on an unusual server port 5060.", "source": "guardduty", "type": "Behavior:EC2/NetworkPortUnusual", "title": "Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.", "accountId": "18773455640", "createdAt": "2024-07-01T05:44:59.824Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "ACTOR", "detectorId": "cab38390b728c06fb2897dfcebffc80d", "eventFirstSeen": "2024-07-01T05:44:59.824Z", "eventLastSeen": "2024-07-04T05:44:59.824Z", "additionalInfo": {"localPort": "2222", "outBytes": "2524", "inBytes": "7187", "unusual": "1323"}, "count": "3251", "action": {"actionType": "NETWORK_CONNECTION", "networkConnectionAction": {"localIpDetails": {"ipAddressV4": "10.0.2.2"}, "protocol": "TCP", "blocked": "false", "connectionDirection": "OUTBOUND", "localPortDetails": {"port": "36220", "portName": "Unknown"}, "remotePortDetails": {"port": "5050", "portName": "Unknown"}, "remoteIpDetails": {"country": {"countryName": "Italy"}, "city": {"cityName": "Palermo"}, "geoLocation": {"lon": "13.334100", "lat": "38.129000"}, "organization": {"asnOrg": "Net Connections", "org": "Net Connections", "isp": "Net Connections", "asn": "1547"}, "ipAddressV4": "75.0.101.245"}}}, "serviceName": "guardduty"}, "id": "06b8d0602d109db1282f9143809f80b8", "region": "ap-east-1", "arn": "arn:aws:guardduty:ap-northeast-3:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8", "updatedAt": "2020-04-22T07:18:12.778Z", "log_info": {"s3bucket": "aws-sample-bucket-3", "log_file": "guardduty/2024/07/04/05/firehose_guardduty-1-2024-07-04-05-44-59-824b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Spain", "location": {"lat": 37.1881714, "lon": -3.6066699}, "region_name": "Andaluc\u00eda", "city_name": "Granada"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": false, "level": 6, "description": "AWS GuardDuty: NETWORK_CONNECTION - Unusual outbound communication seen from EC2 instance i-0cab4a083d57dc400 on server port 5060.", "groups": ["amazon", "aws", "aws_guardduty"], "id": "80302", "firedtimes": 10}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"integration": "aws", "aws": {"severity": "5", "schemaVersion": "2.0", "resource": {"resourceType": "Instance", "instanceDetails": {"launchTime": "2020-04-22T11:17:08Z", "instanceId": "i-0b0b8b34a48c8f1c4", "networkInterfaces": {"networkInterfaceId": "eni-01e777fb9acd548e4", "subnetId": "subnet-7930da22", "vpcId": "vpc-68e3c60f", "privateDnsName": "ip-10-0-2-2.ec2.internal", "publicIp": "40.220.125.204", "publicDnsName": "ec2-40.220.125.204.compute-1.amazonaws.com", "privateIpAddress": "10.0.2.2"}, "instanceState": "running", "imageId": "ami-0ff8a91507f77f900", "instanceType": "t2.small", "imageDescription": "Amazon Linux AMI 2018.03.0.20180811 x86_64 HVM GP2", "iamInstanceProfile": {"id": "AIPAJGAZMFPZHKIBOCBIG", "arn": "arn:aws:iam::186154171780:instance-profile/opsworks-web-production"}, "availabilityZone": "us-east-1a"}}, "description": "EC2 instance i-0b0b8b34a48c8f1c4 is communicating with a remote host on an unusual server port 5060.", "source": "guardduty", "type": "Behavior:EC2/NetworkPortUnusual", "title": "Unusual outbound communication seen from EC2 instance i-0b0b8b34a48c8f1c4 on server port 5060.", "accountId": "18773455640", "createdAt": "2024-07-01T05:44:59.824Z", "partition": "aws", "service": {"archived": "false", "resourceRole": "ACTOR", "detectorId": "cab38390b728c06fb2897dfcebffc80d", "eventFirstSeen": "2024-07-01T05:44:59.824Z", "eventLastSeen": "2024-07-04T05:44:59.824Z", "additionalInfo": {"localPort": "2222", "outBytes": "2524", "inBytes": "7187", "unusual": "1323"}, "count": "3251", "action": {"actionType": "NETWORK_CONNECTION", "networkConnectionAction": {"localIpDetails": {"ipAddressV4": "10.0.2.2"}, "protocol": "TCP", "blocked": "false", "connectionDirection": "OUTBOUND", "localPortDetails": {"port": "36220", "portName": "Unknown"}, "remotePortDetails": {"port": "5050", "portName": "Unknown"}, "remoteIpDetails": {"country": {"countryName": "Italy"}, "city": {"cityName": "Palermo"}, "geoLocation": {"lon": "13.334100", "lat": "38.129000"}, "organization": {"asnOrg": "Net Connections", "org": "Net Connections", "isp": "Net Connections", "asn": "1547"}, "ipAddressV4": "75.0.101.245"}}}, "serviceName": "guardduty"}, "id": "06b8d0602d109db1282f9143809f80b8", "region": "ap-east-1", "arn": "arn:aws:guardduty:ap-northeast-3:166157441758:detector/cab38390b728c06fb2897dfcebffb79d/finding/06b8d0602d109db1282f9143809f80b8", "updatedAt": "2020-04-22T07:18:12.778Z", "log_info": {"s3bucket": "aws-sample-bucket-3", "log_file": "guardduty/2024/07/04/05/firehose_guardduty-1-2024-07-04-05-44-59-824b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Germany", "location": {"lat": 52.524, "lon": 13.411}, "region_name": "Berlin", "city_name": "Berlin"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"mail": true, "level": 12, "description": "AWS Macie CRITICAL: S3 Bucket IAM policy grants global read rights - S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts", "groups": ["amazon", "aws", "aws_macie"], "id": "80355", "firedtimes": 10}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {"name": "json"}, "data": {"aws": {"severity": "CRITICAL", "actor": "resources.wazuh.sample.com", "summary": {"Timestamps": "2024-06-27T08:55:29.145Z", "Description": "S3 Bucket uses IAM policy to grant read rights to Everyone. Your IAM policy contains a clause that effectively grants read access to any user. Please audit this bucket, and data contained within and confirm that this is intentional. If intentional, please use the alert whitelist feature to prevent future alerts", "Bucket": "resources.wazuh.sample.com,", "Record Count": "1", "Event Count": "1", "recipientAccountId": "166157441400", "ACL": {"resources": {"wazuh": {"com": {"Owner": {"DisplayName": "wazuh", "ID": "3ab1235e25ea9e94ff9b7e4e379ba6b0c872cd36c096e1ac8cce7df433b48700"}}}}}}, "risk-score": "9", "notification-type": "ALERT_CREATED", "name": "S3 Bucket IAM policy grants global read rights", "created-at": "2024-06-27T08:55:29.145Z", "source": "macie", "url": "https://mt.eu-west-1.macie.aws.amazon.com/posts/arn%3Aaws%3Amacie%3Aeu-west-1%3A166158075623%3Atrigger%2Fb731d9ffb1fe61508d4b490c92efa666%2Falert%2Fd78f0fd0a55ad458799e4c1fb6a0eded", "tags": {"value": "Open Permissions,Basic Alert,"}, "alert-arn": "arn:aws:macie:eu-west-1:166157441400:trigger/b731d9ffb1fe61508d4a478c92efa666/alert/d78f0fd0a55ad458799e4c1fb6a0ed", "region": "ap-southeast-1", "log_info": {"s3bucket": "aws-sample-bucket-9", "log_file": "macie/2024/06/30/08/firehose_macie-1-2024-06-30-08-55-29-0b1ede94-f399-4e54-8815-1c6587eee3b1//firehose_guardduty-1-2024-06-30-08-55-29-145b5b9b-ec62-4a07-85d7-b1699b9c031e.zip"}}, "integration": "aws"}, "location": "Wazuh-AWS", "input": {"type": "log"}, "GeoLocation": {"country_name": "Canada", "location": {"lat": 49.2496605, "lon": -123.119339}, "region_name": "Vancouver", "city_name": "Vancouver"}} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0050-ms-exchange_rules.xml", "relative_dirname": "ruleset/rules", "id": 3852, "level": 9, "status": "enabled", "details": {"frequency": "14", "timeframe": "120", "ignore": "240", "if_matched_sid": "3802", "same_source_ip": ""}, "pci_dss": ["10.6.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "ms", "exchange"], "description": "ms-exchange: Multiple e-mail 500 error code (spam)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3306, "level": 6, "status": "enabled", "details": {"if_sid": "3301, 3302", "match": " blocked using "}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: IP Address black-listed by anti-spam (blocked)."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0075-cisco-ios_rules.xml", "relative_dirname": "ruleset/rules", "id": 4722, "level": 3, "status": "enabled", "details": {"if_sid": "4715", "id": "^%SEC_LOGIN-5-LOGIN_SUCCESS"}, "pci_dss": ["10.2.5"], "gpg13": ["3.6"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "cisco_ios"], "description": "Cisco IOS: Successful login to the router."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0080-sonicwall_rules.xml", "relative_dirname": "ruleset/rules", "id": 4851, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "ignore": "60", "if_matched_sid": "4803"}, "pci_dss": ["10.6.1"], "gpg13": ["3.5"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["service_availability", "syslog", "sonicwall"], "description": "SonicWall: Multiple firewall error messages."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4386, "level": 10, "status": "enabled", "details": {"frequency": "10", "timeframe": "240", "if_matched_sid": "4334", "same_source_ip": ""}, "pci_dss": ["11.4", "10.2.4", "10.2.5"], "gpg13": ["7.1"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["SI.4", "AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access", "Initial Access"], "id": ["T1110", "T1133"], "technique": ["Brute Force", "External Remote Services"]}, "groups": ["authentication_failures", "syslog", "pix"], "description": "PIX: Multiple AAA (VPN) authentication failures."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3353, "level": 10, "status": "enabled", "details": {"frequency": "$POSTFIX_FREQ", "timeframe": "120", "if_matched_sid": "3303", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "postfix"], "description": "Postfix: Multiple attempts to send e-mail from invalid/unknown sender domain."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0045-mailscanner_rules.xml", "relative_dirname": "ruleset/rules", "id": 3751, "level": 6, "status": "enabled", "details": {"frequency": "8", "timeframe": "180", "if_matched_sid": "3702", "same_source_ip": ""}, "pci_dss": ["10.6.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access", "Collection"], "id": ["T1110", "T1114"], "technique": ["Brute Force", "Email Collection"]}, "groups": ["multiple_spam", "syslog", "mailscanner"], "description": "mailscanner: Multiple attempts of spam."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3151, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "if_matched_sid": "3102", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Sender domain has bogus MX record. It should not be sending e-mail."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3158, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "if_matched_sid": "3108", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Multiple pre-greetings rejects."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0095-sshd_rules.xml", "relative_dirname": "ruleset/rules", "id": 5703, "level": 10, "status": "enabled", "details": {"frequency": "6", "timeframe": "360", "if_matched_sid": "5702", "same_source_ip": ""}, "pci_dss": ["11.4"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["syslog", "sshd"], "description": "sshd: Possible breakin attempt (high number of reverse lookup errors)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0070-netscreenfw_rules.xml", "relative_dirname": "ruleset/rules", "id": 4507, "level": 8, "status": "enabled", "details": {"if_sid": "4502", "id": "^00515"}, "pci_dss": ["10.2.5", "10.2.2"], "gpg13": ["7.8"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "AC.6"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "netscreenfw"], "description": "Netscreen firewall: Successfull admin login"}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5302, "level": 9, "status": "enabled", "details": {"if_sid": "5301", "user": "^root"}, "pci_dss": ["10.2.4", "10.2.5"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3", "CC7.4"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["authentication_failed", "syslog", "su"], "description": "User missed the password to change UID to root."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0070-netscreenfw_rules.xml", "relative_dirname": "ruleset/rules", "id": 4550, "level": 10, "status": "enabled", "details": {"frequency": "6", "timeframe": "180", "ignore": "60", "if_matched_sid": "4503", "same_source_ip": ""}, "pci_dss": ["1.4", "10.6.1", "11.4"], "gpg13": ["4.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.a.1", "164.312.b"], "nist_800_53": ["SC.7", "AU.6", "SI.4"], "tsc": ["CC6.7", "CC6.8", "CC7.2", "CC7.3", "CC6.1"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["netscreenfw"], "description": "Netscreen firewall: Multiple critical messages from same source IP."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0070-netscreenfw_rules.xml", "relative_dirname": "ruleset/rules", "id": 4551, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "180", "ignore": "60", "if_matched_sid": "4503"}, "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["netscreenfw"], "description": "Netscreen firewall: Multiple critical messages."}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0040-imapd_rules.xml", "relative_dirname": "ruleset/rules", "id": 3602, "level": 3, "status": "enabled", "details": {"if_sid": "3600", "match": "Authenticated user="}, "pci_dss": ["10.2.5"], "gpg13": ["7.1"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "imapd"], "description": "Imapd user login."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2960, "level": 2, "status": "enabled", "details": {"decoded_as": "gpasswd", "match": "added by"}, "gpg13": ["7.9", "4.13"], "gdpr": ["IV_32.2"], "mitre": {"tactic": ["Persistence"], "id": ["T1136"], "technique": ["Create Account"]}, "groups": ["syslog", "yum"], "description": "User added to group."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5403, "level": 4, "status": "enabled", "details": {"if_sid": "5400", "if_fts": ""}, "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "sudo"], "description": "First time user executed sudo."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5402, "level": 3, "status": "enabled", "details": {"if_sid": "5400", "regex": " ; USER=root ; COMMAND=| ; USER=root ; TSID=S+ ; COMMAND="}, "pci_dss": ["10.2.5", "10.2.2"], "gpg13": ["7.6", "7.8", "7.13"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "AC.6"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "sudo"], "description": "Successful sudo to ROOT executed."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3105, "level": 5, "status": "enabled", "details": {"if_sid": "3101", "match": "reject=553 5.1.8 "}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "sendmail"], "description": "sendmail: Sender domain is not found (553: Requested action not taken)."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3153, "level": 6, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "if_matched_sid": "3104", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Multiple relaying attempts of spam."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3108, "level": 6, "status": "enabled", "details": {"if_sid": "3100", "match": "rejecting commands from"}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "sendmail"], "description": "sendmail: Sendmail rejected due to pre-greeting."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0090-telnetd_rules.xml", "relative_dirname": "ruleset/rules", "id": 5601, "level": 5, "status": "enabled", "details": {"if_sid": "5600", "match": "refused connect from "}, "gdpr": ["IV_35.7.d"], "mitre": {"tactic": ["Command and Control"], "id": ["T1095"], "technique": ["Standard Non-Application Layer Protocol"]}, "groups": ["syslog", "telnetd"], "description": "telnetd: Connection refused by TCP Wrappers."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3398, "level": 6, "status": "enabled", "details": {"if_sid": "3395", "match": "MAIL|does not resolve to address"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: Illegal address from unknown sender"}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3302, "level": 6, "status": "enabled", "details": {"if_sid": "3300", "id": "^550$"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: Rejected by access list (Requested action not taken)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5404, "level": 10, "status": "enabled", "details": {"if_sid": "5401", "match": "3 incorrect password attempts"}, "pci_dss": ["10.2.4", "10.2.5"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "sudo"], "description": "Three failed attempts to run sudo"}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2502, "level": 10, "status": "enabled", "details": {"match": "more authentication failures;|REPEATED login failures"}, "pci_dss": ["10.2.4", "10.2.5"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["authentication_failed", "syslog", "access_control"], "description": "syslog: User missed the password more than one time"}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5103, "level": 9, "status": "enabled", "details": {"if_sid": "5100", "match": "Oversized packet received from"}, "gdpr": ["IV_35.7.d"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["syslog", "linuxkernel"], "description": "Error message from the kernel. Ping of death attack."}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3191, "level": 6, "status": "enabled", "details": {"if_sid": "3190", "match": "^sender check failed|^sender check tempfailed"}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["smf-sav", "spam", "syslog", "sendmail"], "description": "sendmail: SMF-SAV sendmail milter unable to verify address (REJECTED)."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5401, "level": 5, "status": "enabled", "details": {"if_sid": "5400", "match": "incorrect password attempt"}, "pci_dss": ["10.2.4", "10.2.5"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "sudo"], "description": "Failed attempt to run sudo."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3354, "level": 12, "status": "enabled", "details": {"frequency": "$POSTFIX_FREQ", "timeframe": "120", "if_matched_sid": "3304", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["multiple_spam", "syslog", "postfix"], "description": "Postfix: Multiple misuse of SMTP service (bad sequence of commands)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4342, "level": 8, "status": "enabled", "details": {"if_sid": "4314", "id": "^5-502101|^5-502102"}, "pci_dss": ["8.1.2", "10.2.5"], "gpg13": ["4.13"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.a.2.I", "164.312.a.2.II", "164.312.b"], "nist_800_53": ["AC.2", "IA.4", "AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Defense Evasion", "Initial Access"], "id": ["T1089", "T1133"], "technique": ["Disabling Security Tools", "External Remote Services"]}, "groups": ["adduser", "account_changed", "syslog", "pix"], "description": "PIX: User created or modified on the Firewall."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3102, "level": 5, "status": "enabled", "details": {"if_sid": "3101", "match": "reject=451 4.1.8 "}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "sendmail"], "description": "sendmail: Sender domain does not have any valid MX record (Requested action aborted)."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3154, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "if_matched_sid": "3105", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Multiple attempts to send e-mail from invalid/unknown sender domain."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0085-pam_rules.xml", "relative_dirname": "ruleset/rules", "id": 5501, "level": 3, "status": "enabled", "details": {"if_sid": "5500", "match": "session opened for user "}, "pci_dss": ["10.2.5"], "gpg13": ["7.8", "7.9"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "pam", "syslog"], "description": "PAM: Login session opened."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3304, "level": 5, "status": "enabled", "details": {"if_sid": "3300", "id": "^503$"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: Improper use of SMTP command pipelining (503: Bad sequence of commands)."}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3152, "level": 6, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "if_matched_sid": "3103", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Multiple attempts to send e-mail from a previously rejected sender (access)."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3303, "level": 5, "status": "enabled", "details": {"if_sid": "3300", "id": "^450$"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: Sender domain is not found (450: Requested mail action not taken)."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4340, "level": 8, "status": "enabled", "details": {"if_sid": "4314", "id": "^5-111005|^5-111004|^5-111002|^5-111007"}, "pci_dss": ["1.1.1", "10.4"], "gpg13": ["4.13"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.a.1", "164.312.b"], "nist_800_53": ["CM.3", "CM.5", "AU.8"], "tsc": ["CC8.1", "CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Defense Evasion"], "id": ["T1089"], "technique": ["Disabling Security Tools"]}, "groups": ["config_changed", "syslog", "pix"], "description": "PIX: Firewall configuration changed."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3396, "level": 6, "status": "enabled", "details": {"if_sid": "3395", "match": "verification"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: hostname verification failed"}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4335, "level": 3, "status": "enabled", "details": {"if_sid": "4314", "id": "^6-113004"}, "pci_dss": ["10.2.5"], "gpg13": ["7.1", "7.2"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "pix"], "description": "PIX: AAA (VPN) authentication successful."}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2833, "level": 8, "status": "enabled", "details": {"if_sid": "2832", "match": "^(root)"}, "pci_dss": ["10.2.7", "10.6.1", "10.2.2"], "gpg13": ["4.13"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AU.6", "AC.6"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "cron"], "description": "Root's crontab entry changed."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3103, "level": 6, "status": "enabled", "details": {"if_sid": "3101", "match": "reject=550 5.0.0 |reject=553 5.3.0"}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "sendmail"], "description": "sendmail: Rejected by access list (55x: Requested action not taken)."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2961, "level": 5, "status": "enabled", "details": {"if_sid": "2960", "group": "sudo"}, "gpg13": ["7.9", "4.13"], "gdpr": ["IV_32.2"], "mitre": {"tactic": ["Persistence"], "id": ["T1136"], "technique": ["Create Account"]}, "groups": ["syslog", "yum"], "description": "User added to group sudo."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3351, "level": 6, "status": "enabled", "details": {"frequency": "$POSTFIX_FREQ", "timeframe": "90", "if_matched_sid": "3301", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "postfix"], "description": "Postfix: Multiple relaying attempts of spam."}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5304, "level": 3, "status": "enabled", "details": {"if_sid": "5300", "regex": ["session opened for user|succeeded for|", "^+|^S+ to |^SU S+ S+ + "]}, "pci_dss": ["10.2.5"], "gpg13": ["7.6", "7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "su"], "description": "User successfully changed UID."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0050-ms-exchange_rules.xml", "relative_dirname": "ruleset/rules", "id": 3851, "level": 9, "status": "enabled", "details": {"frequency": "12", "timeframe": "120", "ignore": "120", "if_matched_sid": "3801", "same_source_ip": ""}, "pci_dss": ["10.6.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "ms", "exchange"], "description": "ms-exchange: Multiple e-mail attempts to an invalid account."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5132, "level": 11, "status": "enabled", "details": {"if_sid": "5100", "match": "module verification failed"}, "mitre": {"tactic": ["Persistence"], "id": ["T1215"], "technique": ["Kernel Modules and Extensions"]}, "groups": ["syslog", "linuxkernel"], "description": "Unsigned kernel module was loaded"}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0090-telnetd_rules.xml", "relative_dirname": "ruleset/rules", "id": 5631, "level": 10, "status": "enabled", "details": {"frequency": "6", "timeframe": "120", "if_matched_sid": "5602", "same_source_ip": ""}, "gdpr": ["IV_35.7.d", "IV_32.2"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["syslog", "telnetd"], "description": "telnetd: Multiple connection attempts from same source (possible scan)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4339, "level": 8, "status": "enabled", "details": {"if_sid": "4314", "id": "^5-111003"}, "pci_dss": ["1.1.1", "10.4"], "gpg13": ["4.13"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.a.1", "164.312.b"], "nist_800_53": ["CM.3", "CM.5", "AU.8"], "tsc": ["CC8.1", "CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Defense Evasion"], "id": ["T1089"], "technique": ["Disabling Security Tools"]}, "groups": ["config_changed", "syslog", "pix"], "description": "PIX: Firewall configuration deleted."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0095-sshd_rules.xml", "relative_dirname": "ruleset/rules", "id": 5701, "level": 8, "status": "enabled", "details": {"if_sid": "5700", "match": "Bad protocol version identification"}, "pci_dss": ["11.4"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1190"], "technique": ["Exploit Public-Facing Application"]}, "groups": ["recon", "syslog", "sshd"], "description": "sshd: Possible attack on the ssh server (or version gathering)."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0040-imapd_rules.xml", "relative_dirname": "ruleset/rules", "id": 3651, "level": 10, "status": "enabled", "details": {"frequency": "$IMAPD_FREQ", "timeframe": "120", "if_matched_sid": "3601", "same_source_ip": ""}, "pci_dss": ["10.2.4", "10.2.5", "11.4"], "gpg13": ["7.1"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["authentication_failures", "syslog", "imapd"], "description": "Imapd Multiple failed logins from same source ip."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5407, "level": 3, "status": "enabled", "details": {"if_sid": "5400", "regex": " ; USER=S+ ; COMMAND=| ; USER=S+ ; TSID=S+ ; COMMAND="}, "pci_dss": ["10.2.5", "10.2.2"], "gpg13": ["7.6", "7.8", "7.13"], "gdpr": ["IV_32.2"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "sudo"], "description": "Successful sudo executed."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3155, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "if_matched_sid": "3106", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Multiple attempts to send e-mail from invalid/unknown sender."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3156, "level": 10, "status": "enabled", "details": {"frequency": "12", "timeframe": "120", "if_matched_sid": "3107", "same_source_ip": ""}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "sendmail"], "description": "sendmail: Multiple rejected e-mails from same source ip."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0055-courier_rules.xml", "relative_dirname": "ruleset/rules", "id": 3911, "level": 10, "status": "enabled", "details": {"frequency": "17", "timeframe": "30", "if_matched_sid": "3901", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["recon", "syslog", "courier"], "description": "Courier: Multiple connection attempts from same source."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 1003, "level": 13, "status": "enabled", "details": {"maxsize": "1025", "noalert": "1"}, "gpg13": ["4.3"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["syslog", "errors"], "description": "Non standard syslog message (size too large)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0080-sonicwall_rules.xml", "relative_dirname": "ruleset/rules", "id": 4810, "level": 3, "status": "enabled", "details": {"if_sid": "4806", "id": "^236$"}, "pci_dss": ["10.2.5"], "gpg13": ["3.6"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "sonicwall"], "description": "SonicWall: Firewall administrator login."}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0070-netscreenfw_rules.xml", "relative_dirname": "ruleset/rules", "id": 4509, "level": 8, "status": "enabled", "details": {"if_sid": "4504", "id": "^00767"}, "pci_dss": ["1.1.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.a.1"], "nist_800_53": ["CM.3", "CM.5"], "tsc": ["CC8.1"], "mitre": {"tactic": ["Defense Evasion"], "id": ["T1089"], "technique": ["Disabling Security Tools"]}, "groups": ["config_changed", "netscreenfw"], "description": "Netscreen firewall: configuration changed."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2503, "level": 5, "status": "enabled", "details": {"regex": ["^refused connect from|", "^libwrap refused connection|", "Connection from S+ denied"]}, "pci_dss": ["10.2.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Command and Control"], "id": ["T1095"], "technique": ["Standard Non-Application Layer Protocol"]}, "groups": ["access_denied", "syslog", "access_control"], "description": "syslog: Connection blocked by Tcp Wrappers."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3352, "level": 6, "status": "enabled", "details": {"frequency": "$POSTFIX_FREQ", "timeframe": "120", "if_matched_sid": "3302", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "postfix"], "description": "Postfix: Multiple attempts to send e-mail from a rejected sender IP (access)."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0095-sshd_rules.xml", "relative_dirname": "ruleset/rules", "id": 5706, "level": 6, "status": "enabled", "details": {"if_sid": "5700", "match": "Did not receive identification string from"}, "pci_dss": ["11.4"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Command and Control"], "id": ["T1043"], "technique": ["Commonly Used Port"]}, "groups": ["recon", "syslog", "sshd"], "description": "sshd: insecure connection attempt (scan)."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5303, "level": 3, "status": "enabled", "details": {"if_sid": "5300", "regex": ["session opened for user root|^'su root'|", "^+ S+ S+proot$|^S+ to root on|^SU S+ S+ + S+ S+-root$"]}, "pci_dss": ["10.2.5"], "gpg13": ["7.6", "7.8", "7.9"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "su"], "description": "User successfully changed UID to root."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4323, "level": 3, "status": "enabled", "details": {"if_sid": "4314", "id": "^6-605005"}, "pci_dss": ["10.2.5"], "gpg13": ["7.8"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "pix"], "description": "PIX: Successful login."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2504, "level": 9, "status": "enabled", "details": {"match": "ILLEGAL ROOT LOGIN|ROOT LOGIN REFUSED"}, "pci_dss": ["10.2.4", "10.2.5", "10.2.2"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "AC.6"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["invalid_login", "syslog", "access_control"], "description": "syslog: Illegal root login."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5113, "level": 7, "status": "enabled", "details": {"if_sid": "5100", "match": "Kernel log daemon terminating"}, "pci_dss": ["10.6.1"], "gpg13": ["4.14"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1529"], "technique": ["System Shutdown/Reboot"]}, "groups": ["system_shutdown", "syslog", "linuxkernel"], "description": "System is shutting down."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2301, "level": 10, "status": "enabled", "details": {"match": "^Deactivating service "}, "pci_dss": ["10.6.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["syslog", "xinetd"], "description": "xinetd: Excessive number connections to a service."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3301, "level": 6, "status": "enabled", "details": {"if_sid": "3300", "id": "^554$"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: Attempt to use mail server as relay (client host rejected)."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5405, "level": 5, "status": "enabled", "details": {"if_sid": "5400", "match": "user NOT in sudoers"}, "pci_dss": ["10.2.2", "10.2.5"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.6", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Privilege Escalation"], "id": ["T1169"], "technique": ["Sudo"]}, "groups": ["syslog", "sudo"], "description": "Unauthorized user attempted to use sudo."}, "agent": {"id": "003", "name": "ip-10-0-0-180.us-west-1.compute.internal", "ip": "10.0.0.180"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0070-netscreenfw_rules.xml", "relative_dirname": "ruleset/rules", "id": 4505, "level": 11, "status": "enabled", "details": {"if_sid": "4503", "id": "^00027"}, "pci_dss": ["1.4", "10.6.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.a.1", "164.312.b"], "nist_800_53": ["SC.7", "AU.6"], "tsc": ["CC6.7", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1485"], "technique": ["Data Destruction"]}, "groups": ["service_availability", "netscreenfw"], "description": "Netscreen Erase sequence started."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0095-sshd_rules.xml", "relative_dirname": "ruleset/rules", "id": 5705, "level": 10, "status": "enabled", "details": {"frequency": "6", "timeframe": "360", "if_matched_sid": "5704"}, "pci_dss": ["11.4"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access", "Credential Access"], "id": ["T1190", "T1110"], "technique": ["Exploit Public-Facing Application", "Brute Force"]}, "groups": ["syslog", "sshd"], "description": "sshd: Possible scan or breakin attempt (high number of login timeouts)."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0055-courier_rules.xml", "relative_dirname": "ruleset/rules", "id": 3904, "level": 3, "status": "enabled", "details": {"if_sid": "3900", "match": "^LOGIN,"}, "pci_dss": ["10.2.5"], "gpg13": ["7.1", "7.2"], "gdpr": ["IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1078"], "technique": ["Valid Accounts"]}, "groups": ["authentication_success", "syslog", "courier"], "description": "Courier (imap/pop3) authentication success."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2964, "level": 10, "status": "enabled", "details": {"frequency": "4", "timeframe": "30", "if_matched_sid": "2963", "same_source_ip": ""}, "pci_dss": ["11.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["recon", "syslog", "perdition"], "description": "perdition: Multiple connection attempts from same source."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3330, "level": 10, "status": "enabled", "details": {"ignore": "240", "if_sid": "3320", "match": ["defer service failure|Resource temporarily unavailable|", "^fatal: the Postfix mail system is not running"]}, "pci_dss": ["10.6.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["service_availability", "syslog", "postfix"], "description": "Postfix process error."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3106, "level": 5, "status": "enabled", "details": {"if_sid": "3101", "match": "reject=553 5.5.4 "}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "sendmail"], "description": "sendmail: Sender address does not have domain (553: Requested action not taken)."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4337, "level": 8, "status": "enabled", "details": {"if_sid": "4312", "id": "^3-201008"}, "pci_dss": ["10.6.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1133"], "technique": ["External Remote Services"]}, "groups": ["service_availability", "syslog", "pix"], "description": "PIX: The PIX is disallowing new connections."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0025-sendmail_rules.xml", "relative_dirname": "ruleset/rules", "id": 3104, "level": 6, "status": "enabled", "details": {"if_sid": "3101", "match": "reject=550 5.7.1 "}, "pci_dss": ["11.4"], "gdpr": ["IV_35.7.d"], "nist_800_53": ["SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "sendmail"], "description": "sendmail: Attempt to use mail server as relay (550: Requested action not taken)."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5108, "level": 12, "status": "enabled", "details": {"if_sid": "5100", "match": "Out of Memory: "}, "pci_dss": ["10.6.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["service_availability", "syslog", "linuxkernel"], "description": "System running out of memory. Availability of the system is in risk."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4336, "level": 8, "status": "enabled", "details": {"if_sid": "4314", "id": "^6-113006"}, "pci_dss": ["10.2.4", "10.2.5"], "gpg13": ["7.1", "7.5"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Initial Access"], "id": ["T1133"], "technique": ["External Remote Services"]}, "groups": ["authentication_failed", "syslog", "pix"], "description": "PIX: AAA (VPN) user locked out."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3355, "level": 10, "status": "enabled", "details": {"frequency": "$POSTFIX_FREQ", "timeframe": "120", "if_matched_sid": "3305", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection", "Impact"], "id": ["T1114", "T1499"], "technique": ["Email Collection", "Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "postfix"], "description": "Postfix: Multiple attempts to send e-mail to invalid recipient or from unknown sender domain."}, "agent": {"id": "006", "name": "Windows", "ip": "207.45.34.78"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3397, "level": 6, "status": "enabled", "details": {"if_sid": "3395", "match": "RBL"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: RBL lookup error: Host or domain name not found"}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3305, "level": 5, "status": "enabled", "details": {"if_sid": "3300", "id": "^504$"}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: Recipient address must contain FQDN (504: Command parameter not implemented)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3356, "level": 10, "status": "enabled", "details": {"frequency": "$POSTFIX_FREQ", "timeframe": "120", "ignore": "30", "if_matched_sid": "3306", "same_source_ip": ""}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Impact"], "id": ["T1499"], "technique": ["Endpoint Denial of Service"]}, "groups": ["multiple_spam", "syslog", "postfix"], "description": "Postfix: Multiple attempts to send e-mail from black-listed IP address (blocked)."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5133, "level": 11, "status": "enabled", "details": {"if_sid": "5100", "match": "PKCS#7 signature not signed with a trusted key"}, "mitre": {"tactic": ["Persistence"], "id": ["T1215"], "technique": ["Kernel Modules and Extensions"]}, "groups": ["syslog", "linuxkernel"], "description": "Signed but untrusted kernel module was loaded"}, "agent": {"id": "001", "name": "RHEL7", "ip": "187.54.247.68"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3357, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "120", "ignore": "60", "if_matched_sid": "3332", "same_source_ip": ""}, "pci_dss": ["10.2.4", "10.2.5", "11.4"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["authentication_failures", "syslog", "postfix"], "description": "Postfix: Multiple SASL authentication failures."}, "agent": {"id": "007", "name": "Debian", "ip": "24.273.97.14"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 2551, "level": 10, "status": "enabled", "details": {"if_sid": "2550", "regex": "^Connection from S+ on illegal port$"}, "pci_dss": ["10.6.1"], "gpg13": ["7.1"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Discovery"], "id": ["T1046"], "technique": ["Network Service Scanning"]}, "groups": ["connection_attempt", "syslog", "access_control"], "description": "Connection to rshd from unprivileged port. Possible network scan."}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0055-courier_rules.xml", "relative_dirname": "ruleset/rules", "id": 3910, "level": 10, "status": "enabled", "details": {"frequency": "12", "timeframe": "30", "if_matched_sid": "3902", "same_source_ip": ""}, "pci_dss": ["10.2.4", "10.2.5", "11.4"], "gpg13": ["7.1"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["authentication_failures", "syslog", "courier"], "description": "Courier brute force (multiple failed logins)."}, "agent": {"id": "004", "name": "Ubuntu", "ip": "47.204.15.21"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0065-pix_rules.xml", "relative_dirname": "ruleset/rules", "id": 4325, "level": 8, "status": "enabled", "details": {"if_sid": "4313", "id": "^4-405001"}, "pci_dss": ["10.6.1"], "gpg13": ["4.12"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6"], "tsc": ["CC7.2", "CC7.3"], "mitre": {"tactic": ["Command and Control"], "id": ["T1095"], "technique": ["Standard Non-Application Layer Protocol"]}, "groups": ["syslog", "pix"], "description": "PIX: ARP collision detected."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0020-syslog_rules.xml", "relative_dirname": "ruleset/rules", "id": 5104, "level": 8, "status": "enabled", "details": {"if_sid": "5100", "regex": ["Promiscuous mode enabled|", "device S+ entered promiscuous mode"]}, "pci_dss": ["10.6.1", "11.4"], "gpg13": ["4.13"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Discovery"], "id": ["T1040"], "technique": ["Network Sniffing"]}, "groups": ["promisc", "syslog", "linuxkernel"], "description": "Interface entered in promiscuous(sniffing) mode."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/secure"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0085-pam_rules.xml", "relative_dirname": "ruleset/rules", "id": 5551, "level": 10, "status": "enabled", "details": {"frequency": "8", "timeframe": "180", "if_matched_sid": "5503", "same_source_ip": ""}, "pci_dss": ["10.2.4", "10.2.5", "11.4"], "gpg13": ["7.8"], "gdpr": ["IV_35.7.d", "IV_32.2"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.14", "AC.7", "SI.4"], "tsc": ["CC6.1", "CC6.8", "CC7.2", "CC7.3"], "mitre": {"tactic": ["Credential Access"], "id": ["T1110"], "technique": ["Brute Force"]}, "groups": ["authentication_failures", "pam", "syslog"], "description": "PAM: Multiple failed logins in a small period of time."}, "agent": {"id": "002", "name": "Amazon", "ip": "145.80.240.15"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "EventChannel"} -{"timestamp": "{timestamp}", "@timestamp": "{timestamp}", "rule": {"filename": "0030-postfix_rules.xml", "relative_dirname": "ruleset/rules", "id": 3335, "level": 6, "status": "enabled", "details": {"if_sid": "3320", "match": "^too many "}, "pci_dss": ["10.6.1", "11.4"], "gdpr": ["IV_35.7.d"], "hipaa": ["164.312.b"], "nist_800_53": ["AU.6", "SI.4"], "tsc": ["CC7.2", "CC7.3", "CC6.1", "CC6.8"], "mitre": {"tactic": ["Collection"], "id": ["T1114"], "technique": ["Email Collection"]}, "groups": ["spam", "syslog", "postfix"], "description": "Postfix: too many errors after RCPT from unknown"}, "agent": {"id": "005", "name": "Centos", "ip": "197.17.1.4"}, "manager": {"name": "manager"}, "cluster": {"name": "wazuh"}, "id": "1580123327.49031", "predecoder": {}, "decoder": {}, "data": {}, "location": "/var/log/auth.log"} diff --git a/test-tools/.gitignore b/test-tools/.gitignore deleted file mode 100644 index 2fba045aa1ba5..0000000000000 --- a/test-tools/.gitignore +++ /dev/null @@ -1 +0,0 @@ -wazuh-certificates.tar \ No newline at end of file diff --git a/test-tools/README.md b/test-tools/README.md deleted file mode 100644 index cb9af1e4be6d8..0000000000000 --- a/test-tools/README.md +++ /dev/null @@ -1,45 +0,0 @@ -# Testing environment - -This is an environment definition with the required configuration to be prepared to freshly install a Wazuh Indexer -cluster with two nodes using Vagrant and Libvirt to provision the Virtual Machines. - -It also generates the node's required certificates using the `wazuh-certs-tool` and copy them to each node's `/home` -directory, leaving a copy in `test-tools/`. - -### Prerequisites - -1. Download and install Vagrant ([source](https://developer.hashicorp.com/vagrant/downloads)) -2. Install vagrant-libvirt ([source](https://vagrant-libvirt.github.io/vagrant-libvirt/installation.html)) - > In some cases you must also install `libvirt-dev` - -## Usage - -1. Navigate to the environment's root directory - ```bash - cd test-tools - ``` -2. Initialize the environment - ```bash - vagrant up - ``` -3. Connect to the different systems - ```bash - vagrant ssh indexer_[1|2] - ``` - -### Test scripts - -Some scripts are included to easily validate the correct basic functionality of a wazuh-indexer package, these are also being copied in the node's `/home/scripts` directory. More info at [scripts/README.md](scripts/README.md) - -### Cleanup - -After the testing session is complete you can stop or destroy the environment as you wish: - -- Stop the environment: - ```bash - vagrant halt - ``` -- Destroy the environment: - ```bash - vagrant destroy -f - ``` diff --git a/test-tools/Vagrantfile b/test-tools/Vagrantfile deleted file mode 100644 index b18aaa27177dc..0000000000000 --- a/test-tools/Vagrantfile +++ /dev/null @@ -1,54 +0,0 @@ -system(" - if [ #{ARGV[0]} = 'up' ]; then - echo 'Executing pre-start script.' - bash ./pre-start.sh - fi -") - -Vagrant.configure("2") do |config| - config.vm.define "indexer_1" do |indexer_1| - indexer_1.vm.box = "generic/alma9" - indexer_1.vm.synced_folder ".", "/vagrant" - indexer_1.vm.network "private_network", ip: "192.168.56.10" - indexer_1.vm.hostname = "node-1" - indexer_1.vm.provider "libvirt" do |vb| - vb.memory = "4096" - vb.cpus = "4" - end - indexer_1.vm.provision "shell", inline: <<-SHELL - systemctl stop firewalld - systemctl disable firewalld - yum clean all - yum install jq unzip tar -y - # Add node-2 to /etc/hosts - echo "192.168.56.11 node-2" >> /etc/hosts - # Copy generated certificates - cp /vagrant/wazuh-certificates.tar /home/vagrant/wazuh-certificates.tar - # Copy test scripts - cp -r /vagrant/scripts /home/vagrant/scripts - chown -R vagrant:vagrant /home/vagrant/scripts - SHELL - end - config.vm.define "indexer_2" do |indexer_2| - indexer_2.vm.box = "generic/ubuntu2204" - indexer_2.vm.synced_folder ".", "/vagrant" - indexer_2.vm.network "private_network", ip: "192.168.56.11" - indexer_2.vm.hostname = "node-2" - indexer_2.vm.provider "libvirt" do |vb| - vb.memory = "4096" - vb.cpus = "4" - end - indexer_2.vm.provision "shell", inline: <<-SHELL - systemctl stop ufw - systemctl disable ufw - apt-get install curl jq unzip tar -y - # Add node-1 to /etc/hosts - echo "192.168.56.10 node-1" >> /etc/hosts - # Copy generated certificates - cp /vagrant/wazuh-certificates.tar /home/vagrant/wazuh-certificates.tar - # Copy test scripts - cp -r /vagrant/scripts /home/vagrant/scripts - chown -R vagrant:vagrant /home/vagrant/scripts - SHELL - end -end diff --git a/test-tools/config.yml b/test-tools/config.yml deleted file mode 100644 index 904bf09631351..0000000000000 --- a/test-tools/config.yml +++ /dev/null @@ -1,7 +0,0 @@ -nodes: - # Wazuh indexer nodes - indexer: - - name: node-1 - ip: "192.168.56.10" - - name: node-2 - ip: "192.168.56.11" diff --git a/test-tools/pre-start.sh b/test-tools/pre-start.sh deleted file mode 100644 index e0e1d4b7ac251..0000000000000 --- a/test-tools/pre-start.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/bash - -# SPDX-License-Identifier: Apache-2.0 -# The OpenSearch Contributors require contributions made to -# this file be licensed under the Apache-2.0 license or a -# compatible open source license. - -# Download the Wazuh certs tool -curl -sO https://packages.wazuh.com/4.9/wazuh-certs-tool.sh - -# Make the script executable -chmod +x ./wazuh-certs-tool.sh - -# Run the Wazuh certs tool -OPENSSL_CONF="/etc/ssl/openssl.cnf" ./wazuh-certs-tool.sh -A - -# Create a tarball of the generated certificates -tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ . - -# Clean up -rm -rf ./wazuh-certificates wazuh-certs-tool.sh *.log - -echo "Setup complete and certificates archived." diff --git a/test-tools/scripts/00_run.sh b/test-tools/scripts/00_run.sh deleted file mode 100644 index 085cd85b9e86c..0000000000000 --- a/test-tools/scripts/00_run.sh +++ /dev/null @@ -1,88 +0,0 @@ -#!/bin/bash - -# Prompt the user for GitHub Token and artifact details securely -if [ -z "$GITHUB_TOKEN" ]; then - read -rsp 'Enter GitHub Token: ' GITHUB_TOKEN - echo "" -fi -export GITHUB_TOKEN - -if [ -z "$RUN_ID" ]; then - read -rp 'Enter Action Run ID: ' RUN_ID -fi -export RUN_ID - -if [ -z "$ARTIFACT_NAME" ]; then - read -rp 'Enter Artifact Name: ' ARTIFACT_NAME -fi -export ARTIFACT_NAME - -# Define environment variables with default values if not provided -read -rp "Enter current node name (default: 'node-1'): " NODE_NAME -export NODE_NAME=${NODE_NAME:-"node-1"} - -IP_ADDRESS=$(ip addr show eth1 2>/dev/null | grep 'inet ' | awk '{print $2}' | cut -d/ -f1) -if [ -z "$IP_ADDRESS" ]; then - IP_ADDRESS="127.0.0.1" -fi -read -rp "Enter IP of current node (default: '$IP_ADDRESS'): " NODE_IP -export NODE_IP=${NODE_IP:-$IP_ADDRESS} - -export CERTS_PATH=${CERTS_PATH:-"/home/vagrant/wazuh-certificates.tar"} - -# Optional variables for Node 2 -read -rp 'Enter secondary Node name (optional): ' NODE_2 -read -rp 'Enter IP of secondary Node (optional): ' IP_NODE_2 - -# Logging function with timestamps -log() { - echo "$(date +'%Y-%m-%d %H:%M:%S') - $1" -} - -# Function to run a command and check for errors -run_command() { - local cmd=$1 - log "Executing: $cmd" - if ! eval "$cmd"; then - log "Error executing: $cmd" - exit 1 - else - log "Successfully executed: $cmd" - fi -} - -# Main execution -log "Starting the script execution" - -run_command "bash 01_download_and_install_package.sh -id $RUN_ID -n $ARTIFACT_NAME" - -# Apply certificates -if [ -n "$NODE_2" ] && [ -n "$IP_NODE_2" ]; then - run_command "sudo bash 02_apply_certificates.sh -p $CERTS_PATH -n $NODE_NAME -nip $NODE_IP -s $NODE_2 -sip $IP_NODE_2" -else - run_command "sudo bash 02_apply_certificates.sh -p $CERTS_PATH -n $NODE_NAME -nip $NODE_IP" -fi - -# Start indexer service -run_command "sudo bash 03_manage_indexer_service.sh -a start" - -# Initialize cluster (assumes this step doesn't depend on Node 2 presence) -run_command "sudo bash 04_initialize_cluster.sh" -sleep 10 - -# Validate installed plugins -if [ -n "$NODE_2" ]; then - run_command "bash 05_validate_installed_plugins.sh -n $NODE_NAME -n $NODE_2" -else - run_command "bash 05_validate_installed_plugins.sh -n $NODE_NAME" -fi - -# Validate setup and command manager -run_command "bash 06_validate_setup.sh" -run_command "bash 07_validate_command_manager.sh" - -# Uninstall indexer -log "Running 08_uninstall_indexer.sh" -run_command "sudo bash 08_uninstall_indexer.sh" - -log "All tasks completed successfully." diff --git a/test-tools/scripts/01_download_and_install_package.sh b/test-tools/scripts/01_download_and_install_package.sh deleted file mode 100644 index b57f916ddefda..0000000000000 --- a/test-tools/scripts/01_download_and_install_package.sh +++ /dev/null @@ -1,173 +0,0 @@ -#!/bin/bash - -# SPDX-License-Identifier: Apache-2.0 -# The OpenSearch Contributors require contributions made to -# this file be licensed under the Apache-2.0 license or a -# compatible open source license. - -# Tool dependencies -DEPENDENCIES=(curl jq unzip) -# Default package revision -PKG_REVISION="0" -# Wazuh indexer repository -REPO="wazuh/wazuh-indexer" - -# Function to display usage help -usage() { - echo "Usage: $0 --run-id [-v ] [-r ] [-n ]" - echo - echo "Parameters:" - echo " -id, --run-id The GHA workflow execution ID." - echo " -v, --version (Optional) The version of the wazuh-indexer package." - echo " -r, --revision (Optional) The revision of the package. Defaults to '0' if not provided." - echo " -n, --name (Optional) The package name. If not provided, it will be configured based on version and revision." - echo - echo "Please ensure you have the GITHUB_TOKEN environment variable set to access the GitHub repository, and all the dependencies installed: " "${DEPENDENCIES[@]}" - exit 1 -} - -# Parse named parameters -while [[ "$#" -gt 0 ]]; do - case $1 in - --artifact-id|-id) RUN_ID="$2"; shift ;; - --version|-v) PKG_VERSION="$2"; shift ;; - --revision|-r) PKG_REVISION="$2"; shift ;; - --name|-n) PKG_NAME="$2"; shift ;; - -h|--help) usage ;; - *) echo "Unknown parameter passed: $1"; usage ;; - esac - shift -done - -# Validate all dependencies are installed -for dep in "${DEPENDENCIES[@]}" -do - if ! command -v "${dep}" &> /dev/null - then - echo "Error: Dependency '$dep' is not installed. Please install $dep and try again." >&2 - exit 1 - fi -done - -# Check if RUN_ID is provided -if [ -z "$RUN_ID" ]; then - echo "Error: RUN_ID is required." - usage -fi - -# Validate GITHUB_TOKEN environment variable -if [ -z "$GITHUB_TOKEN" ]; then - echo "Please ensure you have the GITHUB_TOKEN environment variable set to access the GitHub repository." - exit 1 -fi - -# Ensure either PKG_NAME or both PKG_VERSION and PKG_REVISION are provided -if [ -z "$PKG_NAME" ] && { [ -z "$PKG_VERSION" ] || [ -z "$PKG_REVISION" ]; }; then - echo "Error: Either a package name (--name) or both a version (--version) and revision (--revision) must be provided." - usage -fi - -# Detect OS and architecture -if [ -f /etc/os-release ]; then - . /etc/os-release - OS=$(echo "$NAME" | tr '[:upper:]' '[:lower:]') -else - echo "Unsupported OS." - exit 1 -fi - -# Determine package type if PKG_NAME is not provided -ARCH=$(uname -m) -case "$OS" in - *ubuntu* | *debian*) - PKG_FORMAT="deb" - if [ -z "$PKG_NAME" ]; then - [ "$ARCH" == "x86_64" ] && ARCH="amd64" - [ "$ARCH" == "aarch64" ] && ARCH="arm64" - PKG_NAME="wazuh-indexer_${PKG_VERSION}-${PKG_REVISION}_${ARCH}.${PKG_FORMAT}" - fi - ;; - *centos* | *fedora* | *rhel* | *"red hat"* | *alma*) - PKG_FORMAT="rpm" - if [ -z "$PKG_NAME" ]; then - PKG_NAME="wazuh-indexer-${PKG_VERSION}-${PKG_REVISION}.${ARCH}.${PKG_FORMAT}" - fi - ;; - *) - echo "Unsupported OS." - exit 1 - ;; -esac - -# Check if the package is already present -if [ -f "$PKG_NAME" ]; then - echo "Package $PKG_NAME found locally. Reusing existing package." -else - # Fetch the list of artifacts - echo "Fetching artifacts list..." - RUN_URL="https://api.github.com/repos/${REPO}/actions/artifacts" - RESPONSE=$(curl -s -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $GITHUB_TOKEN" -H "X-GitHub-Api-Version: 2022-11-28" "$RUN_URL?name=$PKG_NAME") - - # Check if the curl command was successful - if [ $? -ne 0 ]; then - echo "Error: Failed to fetch artifacts." - exit 1 - fi - - # Check if the artifact from the specified workflow run ID exists - echo "Checking ${PKG_NAME} package is generated for workflow run ${RUN_ID}" - ARTIFACT=$(echo "$RESPONSE" | jq -e ".artifacts[] | select(.workflow_run.id == $RUN_ID)") - - if [ -z "$ARTIFACT" ]; then - echo "Error: Wazuh indexer package not found." - exit 1 - fi - - ARTIFACT_ID=$(echo "$ARTIFACT" | jq -r '.id') - echo "Wazuh indexer artifact detected. Artifact ID: $ARTIFACT_ID" - - # Download the package - ARTIFACT_URL="https://api.github.com/repos/${REPO}/actions/artifacts/${ARTIFACT_ID}/zip" - echo "Downloading wazuh-indexer package from GitHub artifactory..." - echo "(It could take a couple of minutes)" - - if ! curl -L -H "Accept: application/vnd.github+json" \ - -H "Authorization: Bearer $GITHUB_TOKEN" \ - -H "X-GitHub-Api-Version: 2022-11-28" \ - "$ARTIFACT_URL" -o package.zip > /dev/null 2>&1; then - echo "Error downloading package." - exit 1 - fi - echo "Package downloaded successfully" - - # Unzip the package - echo "Decompressing wazuh-indexer package..." - unzip ./package.zip - rm package.zip - - # shellcheck disable=SC2181 - if [ $? -ne 0 ]; then - echo "Error unzipping package." - exit 1 - fi - echo "Package decompressed" -fi - -# Install the package -echo "Installing wazuh-indexer package..." -case "$PKG_FORMAT" in - "deb") - sudo dpkg -i "$PKG_NAME" > /dev/null 2>&1 - ;; - "rpm") - sudo rpm -i "$PKG_NAME" > /dev/null 2>&1 - ;; -esac - -# shellcheck disable=SC2181 -if [ $? -ne 0 ]; then - echo "Error installing package." - exit 1 -fi - -echo "Package installed successfully." diff --git a/test-tools/scripts/02_apply_certificates.sh b/test-tools/scripts/02_apply_certificates.sh deleted file mode 100644 index c754eebf4b10e..0000000000000 --- a/test-tools/scripts/02_apply_certificates.sh +++ /dev/null @@ -1,117 +0,0 @@ -#!/bin/bash - -# SPDX-License-Identifier: Apache-2.0 -# The OpenSearch Contributors require contributions made to -# this file be licensed under the Apache-2.0 license or a -# compatible open source license. - -# Tool dependencies -DEPENDENCIES=(tar) - -# Function to display usage help -usage() { - echo "Usage: $0 --path-to-certs --current-node [--second-node ] [--current-node-ip ] [--second-node-ip ]" - echo - echo "Parameters:" - echo " -p, --path-to-certs Path to the generated Wazuh certificates tar" - echo " -n, --current-node Name of the current node" - echo " -s, --second-node (Optional) Name of the second node" - echo " -nip, --current-node-ip (Optional) IP address of the current node. Default: CURRENT_NODE" - echo " -sip, --second-node-ip (Optional) IP address of the second node. Default: SECOND_NODE" - echo - echo "Please ensure you have all the dependencies installed: " "${DEPENDENCIES[@]}" - exit 1 -} - -# Parse named arguments -while [[ "$#" -gt 0 ]]; do - case $1 in - --path-to-certs|-p) PATH_TO_CERTS="$2"; shift ;; - --current-node|-n) CURRENT_NODE="$2"; shift ;; - --second-node|-s) SECOND_NODE="$2"; shift ;; - --current-node-ip|-nip) CURRENT_NODE_IP="$2"; shift ;; - --second-node-ip|-sip) SECOND_NODE_IP="$2"; shift ;; - -h|--help) usage ;; - *) echo "Unknown parameter passed: $1"; usage ;; - esac - shift -done - -# Validate all dependencies are installed -for dep in "${DEPENDENCIES[@]}" -do - if ! command -v ${dep} &> /dev/null - then - echo "Error: Dependency '$dep' is not installed. Please install $dep and try again." >&2 - exit 1 - fi -done - -# Validate mandatory arguments -if [ -z "$PATH_TO_CERTS" ] || [ -z "$CURRENT_NODE" ]; then - echo "Error: Missing mandatory parameter." - usage -fi - -# Set default values if optional arguments are not provided -CURRENT_NODE_IP=${CURRENT_NODE_IP:-$CURRENT_NODE} -SECOND_NODE_IP=${SECOND_NODE_IP:-$SECOND_NODE} -CONFIG_FILE="/etc/wazuh-indexer/opensearch.yml" -BACKUP_FILE="./opensearch.yml.bak" - -# Backup the original config file -echo "Creating a backup of the original config file..." -cp $CONFIG_FILE $BACKUP_FILE - -# Replace values in the config file -echo "Updating configuration..." -sed -i "s/node\.name: \"node-1\"/node.name: \"${CURRENT_NODE}\"/" $CONFIG_FILE - -if [ -n "$SECOND_NODE" ]; then - sed -i "s/#discovery\.seed_hosts:/discovery.seed_hosts:\n - \"${CURRENT_NODE_IP}\"\n - \"${SECOND_NODE_IP}\"/" $CONFIG_FILE - sed -i "/cluster\.initial_master_nodes:/!b;n;c- ${CURRENT_NODE}\n- ${SECOND_NODE}" $CONFIG_FILE - sed -i ':a;N;$!ba;s/plugins\.security\.nodes_dn:\n- "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US"/plugins.security.nodes_dn:\n- "CN='"${CURRENT_NODE}"',OU=Wazuh,O=Wazuh,L=California,C=US"\n- "CN='"${SECOND_NODE}"',OU=Wazuh,O=Wazuh,L=California,C=US"/' $CONFIG_FILE -else - sed -i "s/#discovery\.seed_hosts:/discovery.seed_hosts:\n - \"${CURRENT_NODE_IP}\"/" $CONFIG_FILE - sed -i "/cluster\.initial_master_nodes:/!b;n;c- ${CURRENT_NODE}" $CONFIG_FILE - sed -i ':a;N;$!ba;s/plugins\.security\.nodes_dn:\n- "CN=node-1,OU=Wazuh,O=Wazuh,L=California,C=US"/plugins.security.nodes_dn:\n- "CN='"${CURRENT_NODE}"',OU=Wazuh,O=Wazuh,L=California,C=US"/' $CONFIG_FILE -fi - -# shellcheck disable=SC2181 -if [ $? -eq 0 ]; then - echo "Configuration updated successfully. Backup created at ${BACKUP_FILE}" -else - echo "Error updating configuration." - exit 1 -fi - -# Directory for certificates -CERT_DIR="/etc/wazuh-indexer/certs" -if [ -d "$CERT_DIR" ]; then - echo "Certificates directory already exists. Removing it..." - rm -rf -fi -# Extract certificates -echo "Creating certificates directory and extracting certificates..." -mkdir -p $CERT_DIR - -if ! tar -xf "$PATH_TO_CERTS" -C "$CERT_DIR" "./$CURRENT_NODE.pem" "./$CURRENT_NODE-key.pem" "./admin.pem" "./admin-key.pem" "./root-ca.pem" ; then - echo "Error extracting certificates." - exit 1 -fi - -# Move and set permissions for certificates -echo "Moving and setting permissions for certificates..." -mv -n "$CERT_DIR/$CURRENT_NODE.pem" "$CERT_DIR/indexer.pem" -mv -n "$CERT_DIR/$CURRENT_NODE-key.pem" "$CERT_DIR/indexer-key.pem" -chmod 500 "$CERT_DIR" -chmod 400 "$CERT_DIR"/* -chown -R wazuh-indexer:wazuh-indexer "$CERT_DIR" - -# shellcheck disable=SC2181 -if [ $? -eq 0 ]; then - echo "Certificates configured successfully." -else - echo "Error configuring certificates." - exit 1 -fi diff --git a/test-tools/scripts/03_manage_indexer_service.sh b/test-tools/scripts/03_manage_indexer_service.sh deleted file mode 100644 index d9100b270c2b1..0000000000000 --- a/test-tools/scripts/03_manage_indexer_service.sh +++ /dev/null @@ -1,76 +0,0 @@ -#!/bin/bash - -# SPDX-License-Identifier: Apache-2.0 -# The OpenSearch Contributors require contributions made to -# this file be licensed under the Apache-2.0 license or a -# compatible open source license. - -# Function to check the status of the wazuh-indexer service -check_service_is_running() { - if systemctl is-active --quiet wazuh-indexer ; then - echo "wazuh-indexer service is running." - else - echo "Error: wazuh-indexer service is not running." >&2 - exit 1 - fi -} - -# Function to display usage help -usage() { - echo "Usage: $0 --action " - echo - echo "This script manages the wazuh-indexer service." - echo - echo "Options:" - echo " -a, --action Specify the action to perform: start, stop, or restart." - echo " -h, --help Show this help message and exit." - echo - exit 1 -} - -# Parse named arguments -while [[ "$#" -gt 0 ]]; do - case $1 in - --action|-a) ACTION="$2"; shift ;; - -h|--help) usage ;; - *) echo "Unknown parameter passed: $1"; usage ;; - esac - shift -done - -# Check if ACTION is provided -if [ -z "$ACTION" ]; then - echo "Error: Action is required." - usage -fi - -# Execute the action -case $ACTION in - start) - echo "Starting wazuh-indexer service..." - systemctl daemon-reload > /dev/null 2>&1 - systemctl enable wazuh-indexer > /dev/null 2>&1 - systemctl start wazuh-indexer > /dev/null 2>&1 - check_service_is_running - ;; - stop) - echo "Stopping wazuh-indexer service..." - systemctl stop wazuh-indexer - systemctl is-active --quiet wazuh-indexer - if [ $? -ne 0 ]; then - echo "wazuh-indexer service stopped successfully." - else - echo "Error: Failed to stop wazuh-indexer service." >&2 - exit 1 - fi - ;; - restart) - echo "Restarting wazuh-indexer service..." - systemctl restart wazuh-indexer - check_service_is_running - ;; - *) - echo "Error: Invalid action specified. Use start, stop, or restart." - usage - ;; -esac diff --git a/test-tools/scripts/04_initialize_cluster.sh b/test-tools/scripts/04_initialize_cluster.sh deleted file mode 100644 index a7121b7c09d94..0000000000000 --- a/test-tools/scripts/04_initialize_cluster.sh +++ /dev/null @@ -1,95 +0,0 @@ -#!/bin/bash - -# SPDX-License-Identifier: Apache-2.0 -# The OpenSearch Contributors require contributions made to -# this file be licensed under the Apache-2.0 license or a -# compatible open source license. - -# Tool dependencies -DEPENDENCIES=(curl jq) - -# Function to display usage help -usage() { - echo "Usage: $0 [-ip ] [-u ] [-p ]" - echo - echo "Parameters:" - echo " -ip, --cluster-ip (Optional) IP address of the cluster. Default: localhost" - echo " -u, --user (Optional) Username for authentication. Default: admin" - echo " -p, --password (Optional) Password for authentication. Default: admin" - echo - echo "Please ensure you have all the dependencies installed: " "${DEPENDENCIES[@]}" - exit 1 -} - -# Validate all dependencies are installed -for dep in "${DEPENDENCIES[@]}" -do - if ! command -v "${dep}" &> /dev/null - then - echo "Error: Dependency '$dep' is not installed. Please install $dep and try again." >&2 - exit 1 - fi -done - -# Default values -CLUSTER_IP="localhost" -USER="admin" -PASSWORD="admin" - -# Parse named arguments -while [[ "$#" -gt 0 ]]; do - case $1 in - -ip|--cluster-ip) CLUSTER_IP="$2"; shift ;; - -u|--user) USER="$2"; shift ;; - -p|--password) PASSWORD="$2"; shift ;; - -h|--help) usage ;; - *) echo "Unknown parameter passed: $1"; usage ;; - esac - shift -done - -# Initialize cluster -echo "Initializing wazuh-indexer cluster..." -bash /usr/share/wazuh-indexer/bin/indexer-security-init.sh > /dev/null 2>&1 - -# Check if the initialization was successful -# shellcheck disable=SC2181 -if [ $? -ne 0 ]; then - echo "Error: Failed to initialize cluster." - exit 1 -fi - -# Check the Wazuh indexer status -echo "Checking cluster status..." -sleep 2 -RESPONSE=$(curl -s -k -u "$USER:$PASSWORD" "https://$CLUSTER_IP:9200") - -# Check if the request was successful -# shellcheck disable=SC2181 -if [ $? -ne 0 ]; then - echo "Error: Failed to connect to cluster." - exit 1 -fi - -# Parse and print the response -INDEXER_NAME=$(echo "$RESPONSE" | jq -r '.name') -CLUSTER_NAME=$(echo "$RESPONSE" | jq -r '.cluster_name') -VERSION_NUMBER=$(echo "$RESPONSE" | jq -r '.version.number') -echo "Indexer Status:" -echo " Node Name: $INDEXER_NAME" -echo " Cluster Name: $CLUSTER_NAME" -echo " Version Number: $VERSION_NUMBER" - -# Verify the Wazuh indexer nodes -echo "Verifying the Wazuh indexer nodes..." -NODES_RESPONSE=$(curl -s -k -u "$USER:$PASSWORD" "https://$CLUSTER_IP:9200/_cat/nodes?v") - -# shellcheck disable=SC2181 -if [ $? -ne 0 ]; then - echo "Error: Failed to retrieve Wazuh indexer nodes." - exit 1 -fi - -echo "Nodes:" -echo "$NODES_RESPONSE" -echo "Initialization completed successfully." diff --git a/test-tools/scripts/05_validate_installed_plugins.sh b/test-tools/scripts/05_validate_installed_plugins.sh deleted file mode 100644 index 2801598394f25..0000000000000 --- a/test-tools/scripts/05_validate_installed_plugins.sh +++ /dev/null @@ -1,95 +0,0 @@ -#!/bin/bash -# SPDX-License-Identifier: Apache-2.0 -# The OpenSearch Contributors require contributions made to -# this file be licensed under the Apache-2.0 license or a -# compatible open source license. - -# Tool dependencies -DEPENDENCIES=(curl jq) - -# Function to display usage help -usage() { - echo "Usage: $0 [-ip -u -p ] -n -n [...]" - echo - echo "Parameters:" - echo " -ip, --cluster-ip (Optional) IP address of the cluster (default: localhost)" - echo " -u, --user (Optional) Username for authentication (default: admin)" - echo " -p, --password (Optional) Password for authentication (default: admin)" - echo " -n, --node Name of the nodes (add as many as needed)" - echo - echo "Please ensure you have all the dependencies installed: " "${DEPENDENCIES[@]}" - exit 1 -} - -# Validate all dependencies are installed -for dep in "${DEPENDENCIES[@]}" -do - if ! command -v "${dep}" &> /dev/null - then - echo "Error: Dependency '$dep' is not installed. Please install $dep and try again." >&2 - exit 1 - fi -done - -# Default values -CLUSTER_IP="localhost" -USER="admin" -PASSWORD="admin" -NODES=() - -# Parse named arguments -while [[ "$#" -gt 0 ]]; do - case $1 in - -ip|--cluster-ip) CLUSTER_IP="$2"; shift ;; - -u|--user) USER="$2"; shift ;; - -p|--password) PASSWORD="$2"; shift ;; - -n|--node) NODES+=("$2"); shift ;; - -h|--help) usage ;; - *) echo "Unknown parameter passed: $1"; usage ;; - esac - shift -done - -# Check if mandatory arguments are provided -if [ -z "$CLUSTER_IP" ] || [ -z "$USER" ] || [ -z "$PASSWORD" ] || [ ${#NODES[@]} -eq 0 ]; then - echo "Error: Missing mandatory parameter." - usage -fi - -# Check the installed plugins on each node -REQUIRED_PLUGINS=("wazuh-indexer-command-manager" "wazuh-indexer-setup") -ALL_MISSING_PLUGINS=() - -echo "Checking installed plugins on Wazuh indexer nodes..." -for NODE in "${NODES[@]}"; do - echo "Checking node $NODE..." - RESPONSE=$(curl -s -k -u "$USER:$PASSWORD" "https://$CLUSTER_IP:9200/_cat/plugins?v" | grep "$NODE") - # Check if the request was successful - # shellcheck disable=SC2181 - if [ $? -ne 0 ]; then - echo "Error: Failed to connect to Wazuh indexer." - exit 1 - fi - MISSING_PLUGINS=() - for PLUGIN in "${REQUIRED_PLUGINS[@]}"; do - if echo "$RESPONSE" | grep -q "$PLUGIN"; then - echo " $PLUGIN is installed on $NODE." - else - MISSING_PLUGINS+=("$PLUGIN") - fi - done - if [ ${#MISSING_PLUGINS[@]} -ne 0 ]; then - echo "Error: The following required plugins are missing on $NODE:" - for PLUGIN in "${MISSING_PLUGINS[@]}"; do - echo " $PLUGIN" - done - ALL_MISSING_PLUGINS+=("${MISSING_PLUGINS[@]}") - fi -done - -if [ ${#ALL_MISSING_PLUGINS[@]} -ne 0 ]; then - echo "Error: Some nodes are missing required plugins." - exit 1 -fi - -echo "All required plugins are installed on all nodes." diff --git a/test-tools/scripts/06_validate_setup.sh b/test-tools/scripts/06_validate_setup.sh deleted file mode 100644 index dc9e90688f180..0000000000000 --- a/test-tools/scripts/06_validate_setup.sh +++ /dev/null @@ -1,153 +0,0 @@ -#!/bin/bash - -# SPDX-License-Identifier: Apache-2.0 -# The OpenSearch Contributors require contributions made to -# this file be licensed under the Apache-2.0 license or a -# compatible open source license. - -# Tool dependencies -DEPENDENCIES=(curl jq) - -# Function to display usage help -usage() { - echo "Usage: $0 [-ip ] [-u ] [-p ]" - echo - echo "Parameters:" - echo " -ip, --cluster-ip (Optional) IP address of the cluster. Default: localhost" - echo " -u, --user (Optional) Username for authentication. Default: admin" - echo " -p, --password (Optional) Password for authentication. Default: admin" - echo - echo "Please ensure you have all the dependencies installed: " "${DEPENDENCIES[@]}" - exit 1 -} - -# Validate all dependencies are installed -for dep in "${DEPENDENCIES[@]}" -do - if ! command -v "${dep}" &> /dev/null - then - echo "Error: Dependency '$dep' is not installed. Please install $dep and try again." >&2 - exit 1 - fi -done - -# Default values -CLUSTER_IP="localhost" -USER="admin" -PASSWORD="admin" - -# Parse named arguments -while [[ "$#" -gt 0 ]]; do - case $1 in - -ip|--cluster-ip) CLUSTER_IP="$2"; shift ;; - -u|--user) USER="$2"; shift ;; - -p|--password) PASSWORD="$2"; shift ;; - -h|--help) usage ;; - *) echo "Unknown parameter passed: $1"; usage ;; - esac - shift -done - -# List of expected items -EXPECTED_TEMPLATES=("index-template-agent" "index-template-alerts" "index-template-fim" "index-template-packages" - "index-template-processes" "index-template-system" "index-template-vulnerabilities") - -# Fetch the templates -echo "Fetching templates from Wazuh indexer cluster..." -TEMPLATES_RESPONSE=$(curl -s -k -u "$USER:$PASSWORD" "https://$CLUSTER_IP:9200/_cat/templates?v") -# Check if the request was successful -if [ $? -ne 0 ]; then - echo "Error: Failed to fetch templates." - exit 1 -fi - -# Validate the templates -MISSING_TEMPLATES=() -echo "Validating templates..." -for TEMPLATE in "${EXPECTED_TEMPLATES[@]}"; do - if echo "$TEMPLATES_RESPONSE" | grep -q "$TEMPLATE"; then - # Fetch the template info to check for required fields - TEMPLATE_INFO=$(curl -s -k -u "$USER:$PASSWORD" "https://$CLUSTER_IP:9200/_template/$TEMPLATE") - if ! echo "$TEMPLATE_INFO" | jq -e '.[] | .mappings.properties.agent.properties.id' > /dev/null; then - echo " Error: Template $TEMPLATE is missing required field 'agent.id'." - MISSING_TEMPLATES+=("$TEMPLATE") - elif ! echo "$TEMPLATE_INFO" | jq -e '.[] | .mappings.properties.agent.properties.groups' > /dev/null; then - echo " Error: Template $TEMPLATE is missing required field 'agent.groups'." - MISSING_TEMPLATES+=("$TEMPLATE") - else - echo " Template $TEMPLATE is created correctly." - fi - else - MISSING_TEMPLATES+=("$TEMPLATE") - echo " Error: Template $TEMPLATE is missing." - fi -done - -if [ ${#MISSING_TEMPLATES[@]} -ne 0 ]; then - echo "Some templates were not created correctly:" - for TEMPLATE in "${MISSING_TEMPLATES[@]}"; do - echo " $TEMPLATE" - done - echo -else - echo "All templates are correctly created." - echo -fi - -# Fetch the indices -echo "Fetching indices from Wazuh indexer cluster..." -INDICES_RESPONSE=$(curl -s -k -u "$USER:$PASSWORD" "https://$CLUSTER_IP:9200/_cat/indices?v") -# Check if the request was successful -# shellcheck disable=SC2181 -if [ $? -ne 0 ]; then - echo "Error: Failed to fetch indices." - exit 1 -fi - -# Fetch the protected indices -echo "Fetching protected indices from Wazuh indexer cluster..." -PROTECTED_RESPONSE=$(curl -s -k -u "$USER:$PASSWORD" "https://$CLUSTER_IP:9200/_cat/indices/.*?v") -# Check if the request was successful -# shellcheck disable=SC2181 -if [ $? -ne 0 ]; then - echo "Error: Failed to fetch indices." - exit 1 -fi - -# Validate index patterns -echo "Validating index patterns..." -INVALID_PATTERNS=() -while read -r line; do - TEMPLATE_NAME=$(echo "$line" | awk '{print $1}') - INDEX_PATTERN=$(echo "$line" | awk '{print $2}' | tr -d '[]') - - if [[ $INDEX_PATTERN == .* ]]; then - TO_MATCH=$PROTECTED_RESPONSE - else - TO_MATCH=$INDICES_RESPONSE - fi - - # Check if index pattern ends with '*' - if [[ $INDEX_PATTERN != *\* ]]; then - echo " Error: Index pattern $INDEX_PATTERN does not end with '*'." - INVALID_PATTERNS+=("$INDEX_PATTERN") - continue - fi - - if echo "$TO_MATCH" | grep -q "$INDEX_PATTERN"; then - echo " Index pattern $INDEX_PATTERN is valid." - else - INVALID_PATTERNS+=("$INDEX_PATTERN") - echo " Error: Index pattern $INDEX_PATTERN not found in indices for template $TEMPLATE_NAME." - fi -done <<< "$(echo "$TEMPLATES_RESPONSE" | tail -n +2)" # Skip header line - -if [ ${#INVALID_PATTERNS[@]} -ne 0 ]; then - echo "Errors on index-patterns detected:" - for PATTERN in "${INVALID_PATTERNS[@]}"; do - echo " $PATTERN" - done - echo -else - echo "Index-patterns validated successfully." -fi diff --git a/test-tools/scripts/07_validate_command_manager.sh b/test-tools/scripts/07_validate_command_manager.sh deleted file mode 100644 index 53fb764a67818..0000000000000 --- a/test-tools/scripts/07_validate_command_manager.sh +++ /dev/null @@ -1,115 +0,0 @@ -#!/bin/bash - -# SPDX-License-Identifier: Apache-2.0 -# The OpenSearch Contributors require contributions made to -# this file be licensed under the Apache-2.0 license or a -# compatible open source license. - -# Tool dependencies -DEPENDENCIES=(curl jq) - -# Function to display usage help -usage() { - echo "Usage: $0 [-ip ] [-u ] [-p ]" - echo - echo "Parameters:" - echo " -ip, --cluster-ip (Optional) IP address of the cluster. Default: localhost" - echo " -u, --user (Optional) Username for authentication. Default: admin" - echo " -p, --password (Optional) Password for authentication. Default: admin" - echo - echo "Please ensure you have all the dependencies installed: " "${DEPENDENCIES[@]}" - exit 1 -} - -# Validate all dependencies are installed -for dep in "${DEPENDENCIES[@]}" -do - if ! command -v "${dep}" &> /dev/null - then - echo "Error: Dependency '$dep' is not installed. Please install $dep and try again." >&2 - exit 1 - fi -done - -# Default values -CLUSTER_IP="localhost" -USERNAME="admin" -PASSWORD="admin" - -# Parse named arguments -while [[ "$#" -gt 0 ]]; do - case $1 in - -ip|--cluster-ip) CLUSTER_IP="$2"; shift ;; - -u|--user) USERNAME="$2"; shift ;; - -p|--password) PASSWORD="$2"; shift ;; - -h|--help) usage ;; - *) echo "Unknown parameter passed: $1"; usage ;; - esac - shift -done - -COMMANDS_INDEX="wazuh-commands" -SRC="Engine" -USR="TestUser" -TRG_ID="TestTarget" -ARG="/test/path/fake/args" -BODY="{ - \"source\": \"$SRC\", - \"user\": \"$USR\", - \"target\": { - \"id\": \"$TRG_ID\", - \"type\": \"agent\" - }, - \"action\": { - \"name\": \"restart\", - \"args\": [ - \"$ARG\" - ], - \"version\": \"v4\" - }, - \"timeout\": 30 -}" - -# Send the POST request and check it is successful -if ! curl -s -k -u "$USERNAME:$PASSWORD" -X POST "https://$CLUSTER_IP:9200/_plugins/_command_manager/commands" -H 'accept: */*' -H 'Content-Type: application/json' -d "$BODY" > /dev/null 2>&1; then - echo "Error: Failed to create command." - exit 1 -fi -echo "Command created successfully." -# Sleep to avoid the next request to be sent before index is created -curl -s -k -u "$USERNAME:$PASSWORD" -X POST "https://$CLUSTER_IP:9200/_forcemerge" -H 'accept: */*' -sleep 2 - -# Fetch the indices -echo "Validating $COMMANDS_INDEX index is created..." -INDICES_RESPONSE=$(curl -s -k -u "$USERNAME:$PASSWORD" "https://$CLUSTER_IP:9200/_cat/indices/.*?v") -# shellcheck disable=SC2181 -if [ $? -ne 0 ]; then - echo "Error: Failed to fetch indices." - exit 1 -fi -if echo "$INDICES_RESPONSE" | grep -q "$COMMANDS_INDEX"; then - echo "Index created correctly." -else - echo "Error: Index is not created." - exit 1 -fi - -sleep 5 -echo "Validate the command is created" -# Validate the command was created -SEARCH_RESPONSE=$(curl -s -k -u "$USERNAME:$PASSWORD" "https://$CLUSTER_IP:9200/$COMMANDS_INDEX/_search") -# Check if the request was successful -# shellcheck disable=SC2181 -if [ $? -ne 0 ]; then - echo "Error: Failed to search for the command." - exit 1 -fi - -# Check if the command is found in the search results -if echo "$SEARCH_RESPONSE" | grep -q "\"$USR\"" && echo "$SEARCH_RESPONSE" | grep -q "\"$TRG_ID\""; then - echo "Validation successful: The command was created and found in the search results." -else - echo "Error: The command was not found in the search results." - exit 1 -fi diff --git a/test-tools/scripts/08_uninstall_indexer.sh b/test-tools/scripts/08_uninstall_indexer.sh deleted file mode 100644 index 094c7ca8781b1..0000000000000 --- a/test-tools/scripts/08_uninstall_indexer.sh +++ /dev/null @@ -1,75 +0,0 @@ -#!/bin/bash - -# SPDX-License-Identifier: Apache-2.0 -# The OpenSearch Contributors require contributions made to -# this file be licensed under the Apache-2.0 license or a -# compatible open source license. - -# Function to display usage help -usage() { - echo "Usage: $0 [-h]" - echo - echo "This script uninstalls Wazuh Indexer and validates its removal." - echo - echo "Options:" - echo " -h, --help Show this help message and exit." - echo - exit 1 -} - -# Check for help flag -if [[ "$1" == "-h" || "$1" == "--help" ]]; then - usage -fi - -# Detect package manager -if command -v apt-get &> /dev/null; then - PKG_MANAGER="apt-get" -elif command -v yum &> /dev/null; then - PKG_MANAGER="yum" -else - echo "Unsupported package manager. Please use a system with apt-get or yum." - exit 1 -fi - -# Uninstall Wazuh Indexer -echo "Uninstalling Wazuh Indexer..." -sudo systemctl stop wazuh-indexer > /dev/null 2>&1 -sudo systemctl disable wazuh-indexer > /dev/null 2>&1 - -if [ "$PKG_MANAGER" == "apt-get" ]; then - sudo apt-get remove --purge wazuh-indexer -y > /dev/null 2>&1 -elif [ "$PKG_MANAGER" == "yum" ]; then - sudo yum remove wazuh-indexer -y > /dev/null 2>&1 -fi -rm -rf /etc/wazuh-indexer - -# Validate removal -echo "Validating Wazuh Indexer removal..." - -# Check for remaining files and directories -if [ "$PKG_MANAGER" == "apt-get" ]; then - if dpkg -l | grep wazuh-indexer > /dev/null 2>&1; then - echo "Error: Wazuh Indexer packages still present." - exit 1 - else - echo "Wazuh Indexer packages removed." - fi -elif [ "$PKG_MANAGER" == "yum" ]; then - if rpm -qa | grep wazuh-indexer > /dev/null 2>&1; then - echo "Error: Wazuh Indexer packages still present." - exit 1 - else - echo "Wazuh Indexer packages removed." - fi -fi - -# Check for remaining services -if systemctl list-units --full -all | grep wazuh-indexer.service > /dev/null 2>&1; then - echo "Error: Wazuh Indexer service still present." - exit 1 -else - echo "Wazuh Indexer service removed." -fi - -echo "Wazuh Indexer uninstallation and validation completed successfully." diff --git a/test-tools/scripts/README.md b/test-tools/scripts/README.md deleted file mode 100644 index 06d84a44f50d5..0000000000000 --- a/test-tools/scripts/README.md +++ /dev/null @@ -1,79 +0,0 @@ -# Test utils scripts - -This is a collection of scripts aimed to facilitate the validation of the wazuh-indexer packages generated on the GitHub Action Workflow. - -Even if these scripts can be executed in almost any Linux environment, we expect it to be used alongside the -Vagrant environment defined in the `test-tools`, using the scripts inside the VMs to facilitate the validation steps. - -### GitHub token requirements - -Create a personal access token for GitHub with at least `read:packages` permissions. - -## Validation flow - -The scripts can be used to prepare and validate a single node or multi-node cluster, as required. - -### All-at-once - -#### Single node - -Use the `00_run.sh` utility to execute all the scripts automatically -```bash -sudo bash 00_run.sh -``` - -#### Multi node cluster - -> This section assumes you are using the `node-1` and `node-2` Vagrant VMs - -1. On the `node-2` VM install and prepare the `wazuh-indexer` component - ```bash - GITHUB_TOKEN= bash 01_download_and_install_package.sh -id -n - ``` - ```bash - sudo bash 02_apply_certificates.sh -p ../wazuh-certificates.tar -n node-2 -nip 192.168.56.11 -s node-1 -sip 192.168.56.10 - ``` - ```bash - sudo bash 03_manage_indexer_service.sh -a start - ``` -2. On the `node-1` VM execute the _all-at-once_ utility - ```bash - sudo bash 00_run.sh - ``` - -### Manual execution - -If you prefer, you can run each script individually. - -1. Download and install the `wazuh-indexer` package _(mandatory on each node)_ - ```bash - GITHUB_TOKEN= bash 01_download_and_install_package.sh -id -n - ``` -2. Configure and start the service _(mandatory on each node)_ - ```bash - sudo bash 02_apply_certificates.sh -p -n -nip - ``` - ```bash - sudo bash 03_manage_indexer_service.sh -a start - ``` - > With this script you can also `restart` and `stop` the service -3. Initialize the cluster - ```bash - sudo bash 04_initialize_cluster.sh - ``` -4. Check all the plugins are installed - ```bash - bash 05_validate_installed_plugins.sh -n - ``` -5. Check the setup plugin configured the index-patterns correctly - ```bash - bash 06_validate_setup.sh - ``` -6. Check the command manager plugin works correctly - ```bash - bash 07_validate_command_manager.sh - ``` -7. Uninstall Wazuh indexer - ```bash - sudo bash 08_uninstall_indexer.sh - ```